Malware Analysis 3103: Rich Text Format (RTF)

Documents are at the core of most business processes today. Over the years the complexity of documents formats has increased considerably to enrich user experience and ensure interoperability between different formats. This variety and complexity provides offensive teams with a large attack surface while the need for usability and accessibility creates challenges for defenders.

Today, malicious documents are a common attack vector. In addition to providing an entrypoint into target systems they can also be used when pivoting across the network.

In the malicious documents series of courses we will go through some of the most common document file formats. We will start with an overview of each format. Based on this we will look at tools & methods to analyze them and common payload delivery techniques. We will work our way through some case studies of malicious documents (e.g. containing exploits). We will also look into custom tooling for automating some of these tasks.

The goal of these courses is to develop a sense of where things go wrong in file formats and how to spot that. In addition we aim to understand how seemingly non-malicious side-effects may be used as part of an attack and how this relates to documents.

There will be plenty of mentions and references of how this is used in real attacks.