Malicious RTF Document Analysis
2019-10-22, 13:15–16:15, DieKirch-Echternach

Rich Text Format (RTF) documents are consumed by many applications, like Microsoft Word.

Malicious RTF documents contain exploits or embedded objects/links: in this workshop, we go through 20+ exercises to learn how to analyze these documents with Didier's tool rtfdump.py.


Rich Text Format (RTF) documents are also used to deliver a malicious payload. Unlike Word documents, they can not contain VBA macros. To achieve code execution, malware authors have to exploit vulnerabilities, or social engineer the recipient into executing an embedded payload.

Microsoft Equation Editor vulnerabilities are being widely exploited, and this is reflected in the increased popularity of the RTF format with malware authors.

The RTF format also lends itself to many obfuscation tricks, making the task of the analyst much harder.

In this workshop, Didier Stevens will teach you analysis of malicious RTF documents in his typical workshop style: this means hands-on, many exercises, and just a few slides.