Rtfobj – Detect and Extract Embedded Objects in RTF

rtfobj is a Python module to detect and extract embedded objects stored in RTF files, such as OLE objects. It can also detect OLE Package objects, and extract the embedded files.

Since v0.50, this tool contains a custom RTF parser that has been designed to match MS Word’s behaviour, in order to handle obfuscated RTF files. See my article “Anti-Analysis Tricks in Weaponized RTF” for some concrete examples. user may run the program as a Python library or a command-line tool.

Rtfobj - Detect and Extract Embedded Objects in RTF
Rtfobj – Detect and Extract Embedded Objects in RTF

rtfobj displays a list of the OLE and Package objects that have been detected, with their attributes such as class and filename. Microsoft constantly release updates and patches for Microsoft office that fix security bugs to allow attacker to exploit and execute malicious program on targeted machine an example was CVE-2017-11826 Microsoft Office Remote Code Execution Vulnerability.

Many research were published about how attacker targeting this type of vulnerability with malicious Rich Text Format RTF to install a backdoor used to monitor users activity. This tool will allow incident responder to analyze the malicious object and further reverse the source of the attack.

You can read more and download this tool over here: https://github.com/decalage2/oletools/wiki/rtfobj

Notify of
Inline Feedbacks
View all comments