Image credit: [**pixabay**]( Image credit: pixabay

rtfsig released

Today I released a new tool named rtfsig. rtfsig is a simple Python utility that helps create signatures for malicious RTF documents.

The tool automatically generates YARA rules and makes suggestions for VirusTotal’s vtgrep based off potentially distinctive parts of RTF documents.

Running the tool with a RTF document will output a series of “interesting strings”:

-> % rtfsig -f 0b06052d3b5954594cf0e28bd9c50d9110eb8fb78cb78c9a99686eb4ba3391df.hostile
INFO:root:Starting to parse file 0b06052d3b5954594cf0e28bd9c50d9110eb8fb78cb78c9a99686eb4ba3391df.hostile
INFO:root:Non-standard RTF magic marker, should be {\rtf1, often a sign of malicious docs
INFO:root:Found an RSID table in this document
INFO:root:Found 1 embedded image(s) with set height/width
INFO:root:Found 2 document information group tags
INFO:root:Interesting strings (higher chance of FP): \rsid7043998, \rsid7476075, insrsid7043998, \rsid10243744, \rsid7604251, insrsid10243744, {\author blue}, rsidroot10243744, \rsid9200135, tblrsid10243744, charrsid10243744, \picw1\pich1\picwgoal1\pichgoal1 , pararsid10243744, \rsid7238080, insrsid7476075, \rsid11666446, insrsid12343406, \rsid12343406, {\operator blue}
INFO:root:Found some unique strings!  Consider using vtgrep or deploying Yara rules

In the example above the string pararsid10243744 is output, which is a revision marker for a paragraph. These markers are not necessarily unique on their own, but combining them with other markers from the same file helps to find related documents.

You can find rtfsig on PyPI and full instructions are available on GitHub.

David Cannings
David Cannings
Cyber Security

My interests include computer security, digital electronics and writing tools to help analysis of cyber attacks.