Malicious RTF (Rich Text Format) documents are back in the news with the exploitation of CVE-2026-21509 by APT28<\/a>.<\/p>\n The malicious RTF documents\u00a0BULLETEN_H.doc<\/a> and\u00a0Consultation_Topics_Ukraine(Final).doc<\/a> mentioned in the news are RTF files (despite their .doc extension, a common trick used by threat actors).<\/p>\n Here is a quick tip to extract URLs from RTF files. Use the following command:<\/p>\n Like this:<\/p>\n BTW, if you are curious, this is how that document looks like when opened:<\/p>\n Let me break down the command:<\/p>\n So I have found one domain (wellnesscaremed) and one private IP address (192.168…). What I then like to do, is search for these keywords in the string list, like this:<\/p>\n If found extra IOCs: a UNC and a “malformed” URL. The URL has it’s hostname followed by @ssl. This is not according to standards. @ can be used to introduce credentials, but then it has to come in front of the hostname, not behind it. So that’s not the case here. More on this later.<\/p>\n Here are the results for the other document:<\/p>\n Notice that this time, we have @80.<\/p>\n I believe that this @ notation is used by Microsoft to provide the portnumber when WebDAV requests are made (via UNC). If you know more about this, please post a comment.<\/p>\n In an upcoming diary, I will show how to extract URLs from ZIP files embedded in the objects in these RTF files.<\/p>\n \u00a0<\/p>\n Didier Stevens (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t\n
rtfdump.py -j -C SAMPLE.vir | strings.py --jsoninput | re-search.py -n url -u -F officeurls<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260209-120912.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260208-212413.png?ssl=1\")
<\/p>\n\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260209-122140.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260209-122843.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260208-212510.png?ssl=1\")
<\/p>\n
\nSenior handler
\nblog.DidierStevens.com<\/a><\/p>\n
\n
<\/BR><\/p>\n