{"id":11055,"date":"2026-03-03T04:03:48","date_gmt":"2026-03-03T04:03:48","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/03\/32696\/"},"modified":"2026-03-03T04:03:48","modified_gmt":"2026-03-03T04:03:48","slug":"32696","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/03\/32696\/","title":{"rendered":"Quick Howto: ZIP Files Inside RTF, (Mon, Mar 2nd)"},"content":{"rendered":"

Quick Howto: ZIP Files Inside RTF, (Mon, Mar 2nd)
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

In diary entry “Quick Howto: Extract URLs from RTF files<\/a>” I mentioned ZIP files.<\/p>\n

There are OLE objects inside this RTF file:<\/p>\n

\"\"<\/p>\n

\u00a0<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

They can be analyzed with oledump.py<\/a> like this:<\/p>\n

\"\"<\/p>\n

Options –storages and -E %CLSID% are used to show the abused CLSID.<\/p>\n

\"\"<\/p>\n

Stream CONTENTS contains the URL:<\/p>\n

\"\"<\/p>\n

We extracted this URL with the method described in my previous diary entry “Quick Howto: Extract URLs from RTF files<\/a>“.<\/p>\n

But this OLE object contains a .docx file.<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

A .docx file is a ZIP container, and thus the URLs it contains are inside compressed files, and will not be extracted with the technique I explained.<\/p>\n

But this file can be looked into with zipdump.py<\/a>:<\/p>\n

\"\"<\/p>\n

It is possible to search for ZIP files embedded inside RTF files: 50 4B 03 04 -> hex sequence of magic number header for file record in ZIP file.<\/p>\n

\"\"<\/p>\n

Search for all embedded ZIP files:<\/p>\n

\"\"<\/p>\n

Extract URLs:<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\u00a0<\/p>\n

Didier Stevens
\nSenior handler
\nblog.DidierStevens.com<\/a><\/p>\n

(c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n

\t

\n
<\/BR><\/p>\n

\t

\n
<\/BR>
\nGo to isc.sans.edu<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Quick Howto: ZIP Files Inside RTF, (Mon, Mar 2nd) In diary entry “Quick Howto: Extract URLs from RTF files” I mentioned ZIP files. There are OLE objects inside this RTF file: \u00a0 They can be analyzed with oledump.py like this: Options –storages and -E %CLSID% are used to show the abused CLSID. Stream CONTENTS contains […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-11055","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11055"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11055"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11055\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}