Skip to main content


Showing posts from May, 2014

Cryptam Document Analysis + OpenXML embedded in RTF

Recently there have been a number of reports of RTF exploits using a new trick of embedding OpenXML exploits to create a multi-exploit master key to cover a number of recent patched exploits in one RTF with low AV detection. In particular the file tweeted on March 29 by @botherder got our attention and was covered by Mcafee and Bluecoat.

MD5: af17892aa82b48282d956adeb5e70e65
Original filename: aircanada_eticket_820910108.doc
Cryptam report.
VirusTotal: 29/51

While superficially within the RTF component, there is the use of CVE-2010-3333, there is also an Open XML (docx) file exploiting CVE-2012-1856, and an embedded Tiff exploiting CVE-2013-3906. AV detection of the most obvious, and old, CVE-2010-3333 can be misleading when assuming you're patched against this threat.

RTF content with embedded OpenXML (zip header):

OpenXML embedded content and CVE-2012-1856 ActiveX files:

CVE-2012-1856 classID referenced in activeXNN.xml files:

RTF Start of CVE-2013-3906 Tiff referenced as a jpeg…