rtf_exploit_extractor Script to extract malicious payload and decoy rtf document.

rtf_exploit_extractor Script to extract malicious payload and decoy rtf document.

rtf_exploit_extractor is a Script to extract malicious payload and decoy document from CVE-2015-1641 exploit documents. This will also work on other rtf exploit docs using a similar begin/end marker and xor cipher.

rtf_exploit_extractor Script to extract malicious payload and decoy document from CVE-2015-1641 exploit documents.

rtf_exploit_extractor Script to extract malicious payload and decoy document from CVE-2015-1641 exploit documents.

Once decrypted, this shellcode is responsible for some key actions:
– Locate, decrypt, and execute the malware binary payload.
– Patch some key bytes in the registry to mask the MS Word crash (pursuant to the exploit)
– Locate, decrypt and display the decoy document.
The malware payload and decoy document are both contained inside the large binary segment appended to the end of the RTF file.

rtfexploit_extract.py Script :

Source : https://github.com/Cyberclues