Wednesday, 7 March 2018

IRIS-H (alpha): Added RTF files parser module

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API, UI
Short Description: API side code logic(parser) has been added to allow for RTF files processing. Currently, the new parser provides basic data extraction capabilities. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.
Outstanding Tasks: Second development iteration.
Known Issues: Some data obfuscation types are not supported.

Detailed Summary

New code logic has been added to IRIS-H to allow for Rich Text Format (RTF) files processing. The 'Submission' page will now accept RTF file upload and pass it for further processing which includes the following:

  • extract document metadata
  • identify and parse embedded objects
  • extract font table
  • detect languages used in the document
  • provide description for all extracted data

Currently, the parsing module only provides essential processing. The module was tested with a good number of malicious RTF files and seems to be relatively stable handling the majority of obfuscation techniques. Thanks to @James_inthe_box for providing the samples!

Example Reports - ASLR/DEP evasion using msvbvm60.dll (–°VE-2017-11826 precursor)