# rtfdump.py
# Analyze RTF file structure, identify hex-encoded groups and embedded objects
# FOR610 Labs: 3.5 | Sections: 3 | Author: Didier Stevens
# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office

% rtf, document, didier-stevens

# Basic usage
rtfdump.py document.rtf

# Select specific item
rtfdump.py document.rtf -s 5 -H -d > extracted.bin


# --- Recipes (multi-tool chains) ---

# >> Extract Shellcode from RTF Document
# Scan RTF structure — look for groups with lots of hex data
rtfdump.py <document.rtf>
# Extract the hex-heavy group as binary
rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
# Scan for shellcode patterns (even XOR-encoded)
XORSearch -W -d 3 extracted.bin
# Emulate shellcode at found offset
scdbgc /f extracted.bin /foff <offset> /s -1