f-log

just another web log

08 Oct 2018:
linux pries open the seedy windows underbelly wtf rtf
I get a lot of spam and I ask my ISP not to filter it, I am interested in what is getting thrown about. I have addresses going back to the late 90s. Some days I get nothing other days 10s of different spams.

In the past I have got hundreds, but I am guessing they are finally filtering out really old emails. Not to mention the number that arrive with a single character replaced/missing. I think they have a real problem with data corruption. But what does it matter when you are sending a scatter shot of tens of thousands and not expecting too many to stick?

It is quite rare that I get obvious malware attachments and I normally just make them as spam. This time I decided to see what I could see.

The email attachment was a .doc file on the end of a short story about how I should check the supplied product list.

I save the attachment and ran

file Product_list.doc
This told me it was and RTF Rich Text File and the internet said I needed the rtfobj.py Python script to interrogate it.
https://github.com/decalage2/oletools/wiki/rtfobj

rtfobj.py -s all Product_list.doc
Where -s all saves all the embedded files in the RTF file.

There were six files all malware, couple of .cmd files that setup the windows registry to run the rest were .exe files.

Using file again showed they were windows executables PE32.
After running strings a few times I realised I needed something more focused on windows binaries.

pip install -U oletools

gave me objdump and nm

objdump --no-show-raw-insn -x -s -h -g -C -d -M intel Product_list.doc_mondi.exe | less
(read the help, all those options do make sense)

But sadly no fun URLs/API end points to poke at.

And all references came up as known malware so a bit of a dead end, but I did have have exploring.

loading results, please wait loading animateloading animateloading animate
[More tags]
rss feed

email

root

flog archives


Disclaimer: This page is by me for me, if you are not me then please be aware of the following
I am not responsible for anything that works or does not work including files and pages made available at www.jumpstation.co.uk I am also not responsible for any information(or what you or others do with it) available at www.jumpstation.co.uk In fact I'm not responsible for anything ever, so there!