Quick Howto: ZIP Files Inside RTF

    Published: 2026-03-02. Last Updated: 2026-03-02 11:13:04 UTC
    by Didier Stevens (Version: 1)
    1 comment(s)

    In diary entry "Quick Howto: Extract URLs from RTF files" I mentioned ZIP files.

    There are OLE objects inside this RTF file:

     

    They can be analyzed with oledump.py like this:

    Options --storages and -E %CLSID% are used to show the abused CLSID.

    Stream CONTENTS contains the URL:

    We extracted this URL with the method described in my previous diary entry "Quick Howto: Extract URLs from RTF files".

    But this OLE object contains a .docx file.

    A .docx file is a ZIP container, and thus the URLs it contains are inside compressed files, and will not be extracted with the technique I explained.

    But this file can be looked into with zipdump.py:

    It is possible to search for ZIP files embedded inside RTF files: 50 4B 03 04 -> hex sequence of magic number header for file record in ZIP file.

    Search for all embedded ZIP files:

    Extract URLs:

     

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    1 comment(s)

    Wireshark 4.6.4 Released

    Published: 2026-03-02. Last Updated: 2026-03-02 11:11:45 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    Wireshark release 4.6.4 fixes 3 vulnerabilities and 15 bugs.

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)
    ISC Stormcast For Monday, March 2nd, 2026 https://isc.sans.edu/podcastdetail/9830

      Comments

      Login here to join the discussion.


      Diary Archives