Listen to this Post

Malicious RTF (Rich Text Format) files are making headlines again, as cyber threat group APT28 exploits the newly disclosed CVE-2026-21509 vulnerability. Attackers are leveraging RTF documents disguised as Word files—like BULLETEN_H.doc and Consultation_Topics_Ukraine(Final).doc—to sneak malicious content past unsuspecting users. Despite the .doc extension, these files are genuine RTF documents, a common trick to evade detection. Extracting embedded URLs from such files is crucial for threat analysts and cybersecurity professionals to uncover command-and-control servers, phishing links, or other malicious endpoints.
This article provides a practical, step-by-step method to extract URLs from RTF files safely using a command-line approach. It also highlights anomalies in URL formats often seen in these documents, giving analysts context for further investigation.
Quick How-To: Extract URLs from RTF Files
To extract URLs from a suspicious RTF file, you can use the following command chain:
bash
Copy code
rtfdump.py -j -C SAMPLE.vir | strings.py –jsoninput | re-search.py -n url -u -F officeurls
Here’s what each component does:
rtfdump.py -j -C SAMPLE.vir – Parses the RTF file SAMPLE.vir and outputs JSON data for all embedded objects. The -C option ensures all combinations are included: raw item, hex-decoded item (-H), and hex-decoded with shift applied (-H -S). Each item produces three JSON entries.
strings.py –jsoninput – Extracts all readable strings from the JSON output of rtfdump.py.
re-search.py -n url -u -F officeurls – Filters the extracted strings for URLs (-n url), removes duplicates (-u), and excludes Office-specific document URLs (-F officeurls).
Using this method, analysts identified domains like wellnesscaremed and private IP addresses such as 192.168.x.x. Further exploration of the string list revealed malformed URLs, often including an @ symbol after the hostname (e.g., hostname@ssl). Normally, @ precedes credentials in URLs, making these anomalies suspicious.
For example, some documents use the @80 notation, which likely represents a port number in Microsoft WebDAV requests. Understanding these quirks is essential for accurately mapping potential attack infrastructure.
Future analyses will extend this method to extract URLs from ZIP files embedded within these RTF objects, further exposing hidden threats.
What Undercode Say:
Malicious RTFs are evolving, and the APT28 exploitation of CVE-2026-21509 highlights the need for rapid, technical response from security teams. The workflow Didier Stevens outlines is a precise, reproducible method for dissecting RTF files, providing analysts with actionable intelligence.
The appearance of malformed URLs and unusual @ notations suggests that threat actors are experimenting with obfuscation techniques to bypass automated URL scanning and detection mechanisms. Port numbers embedded in URLs, as seen in @80, are likely tied to WebDAV communications, pointing to advanced usage of Microsoft protocols in attacks.
Moreover, the identification of private IPs alongside public domains indicates lateral movement attempts within compromised networks. Analysts must therefore not only extract URLs but also evaluate internal network exposure to prevent further compromise.
The modularity of Didier’s command-line workflow makes it highly scalable. Integrating such parsing into automated sandbox environments can accelerate incident response, reduce false negatives, and uncover secondary payloads hidden in embedded objects like ZIP files.
Cybersecurity teams should also take note of the JSON output, as it provides a structured approach to analyze potentially hundreds of embedded objects per file. This level of detail allows researchers to correlate indicators of compromise (IOCs) across multiple samples efficiently.
From a strategic perspective, awareness of these RTF tricks underscores the importance of robust phishing awareness programs. Employees must be trained to recognize misleading .doc or .rtf attachments, especially those promising sensitive topics like “Ukraine” or health-related content, which remain popular bait in spear-phishing campaigns.
As attackers increasingly exploit legacy formats like RTF, defenders must combine technical parsing skills with threat intelligence to stay ahead. Didier Stevens’ methodology is a strong foundation, but it should be complemented by continuous monitoring of new CVE exploits, emerging URL obfuscation techniques, and network-based detection systems.
Fact Checker Results:
✅ Malicious RTF files exploiting CVE-2026-21509 are confirmed as active threats.
✅ Didier Stevens’ command-line method accurately extracts URLs from RTF files.
❌ The use of @ after hostnames is non-standard; its exact usage in attacks requires further research.
Prediction:
📌 Expect an increase in obfuscated RTF campaigns using port numbers and malformed URLs to evade detection.
📌 Analysts will likely expand workflows to automatically parse embedded ZIP files and other container formats in RTFs.
📌 Threat actors may blend internal IP targeting with external command-and-control domains, signaling more sophisticated lateral movement tactics.
If you want, I can also create a visual diagram showing how this URL extraction workflow works step by step, which would make it much easier for analysts to follow. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: isc.sans.edu
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




