rtfraptor is a simple tool to aid analysis of malicious RTF files by extracting OLEv1 objects. It was inspired by a blog post by Denis O’Brien.
It works by running Word and intercepting calls to OLEv1 functions. This allows raw OLE objects to be dumped from memory for further analysis. The tool is designed to be run on Windows.
This is useful for:
- Avoiding manual analysis of obfuscated RTF files.
- Extracting malicious objects (packager objects, Equation Editor abuse, embedded documents etc.).
- Identifying what vulnerabilities (or features) an RTF document is trying to abuse.
- Verifying the output of other tools (e.g. static document parsers).
The tool was written by David Cannings and is released under the AGPL.
How does it work?
At present the code hooks three functions which are involved in loading an OLEv1 object:
- ole32!OleConvertOLESTREAMToIStorage – which converts legacy OLEv1 objects to an objects implementing IStorage.
- ole32!OleLoad – which is called when an OLEv1 object is loaded.
- ole32!OleGetAutoConvert – which is called by OleLoad to convert the GUID.
This chain of functions provides the raw OLEv1 data, confirmation it has been loaded and finally the class identifier.
The method is slightly fragile as ole32!OleGetAutoConvert can be called from other (benign) sources. A better approach would be to understand the layout of IStorage in memory, which might allow a single hook on ole32!OleLoad.
$ pip install rtfraptor
At a minimum the options –executable and –file need to be passed, like so:
To save JSON output and dump the raw OLEv1 objects to disk, pass the following options:
--json output.json --save-path ole_parts
Note: this tool runs Word. Analysis of suspicious documents should be done inside a virtual machine. The tool does not stop any final payload from executing, and you may wish to isolate the virtual machine from any networking.
Raw object output
Raw OLEv1 objects can be stored using the –save-path option. Below is an example Packager object which contains a portable executable file.
Console output is generated listing any suspicious OLE objects (those in oletools.common.clsid):
The tool will produce output in JSON format if the –json option is passed. This can be used for further processing, and is in the following format:
Keys in objects are provided in the order the OLEv1 objects were loaded.
Copyright (C) 2018 edeca