In this lab, we investigate a suspicious RTF (Rich Text Format) document that has raised security alerts within a sandboxed environment. Despite an initial review by a colleague finding nothing malicious, further examination suggests the presence of hidden exploitative behavior. As a SOC analyst, the objective is to conduct a thorough forensic analysis of the document to determine whether it poses a real security threat and to uncover its underlying mechanisms. This investigation involves dissecting the document structure using rtfdump.py , a tool designed to parse and extract embedded objects from RTF files. By analyzing these objects, we can identify potential OLE (Object Linking and Embedding) components, which are often used to deliver malicious payloads. Further inspection of the document's embedded data can reveal patterns of obfuscation, allowing us to reconstruct any concealed shellcode and examine how it interacts with the host system.
To determine the nature of the exploit, we will simulate the execution of any extracted shellcode using scdbg, which allows us to observe API calls and behavioral indicators. This analysis helps us identify malicious system functions, such as network requests or process execution, which may indicate command execution, payload downloads, or privilege escalation attempts. Additionally, we will compare the document’s characteristics with known public exploits to assess whether an automated tool was used to craft the payload. By leveraging open-source intelligence (OSINT) searches, we can trace the origins of the exploit, identify it