Skip to main content

Malware Analysis 3103: Rich Text Format (RTF)

Enrollment is Closed

About This Course

Documents are at the core of most business processes today. Over the years the complexity of documents formats has increased considerably to enrich user experience and ensure interoperability between different formats. This variety and complexity provides offensive teams with a large attack surface while the need for usability and accessibility creates challenges for defenders.

Today, malicious documents are a common attack vector. In addition to providing an entrypoint into target systems they can also be used when pivoting across the network.

In the malicious documents series of courses we will go through some of the most common document file formats. We will start with an overview of each format. Based on this we will look at tools & methods to analyze them and common payload delivery techniques. We will work our way through some case studies of malicious documents (e.g. containing exploits). We will also look into custom tooling for automating some of these tasks.

The goal of these courses is to develop a sense of where things go wrong in file formats and how to spot that. In addition we aim to understand how seemingly non-malicious side-effects may be used as part of an attack and how this relates to documents.

There will be plenty of mentions and references of how this is used in real attacks.


While coding experience is desirable to get the most out of this course it is not strictly required. Familiarity with file formats in general and hex editors is required (completing Life of Binaries should suffice).

Course Staff



Stefan has been involved in malware analysis as a reverser, developer, and researcher for most of the last 15 years. Over the years he provided multiple private training engagements on malware analysis from basics to techniques used by APT groups. In his free time he sometimes plays CTFs with PwnThyBytes.

Frequently Asked Questions

What learning paths is this class used in?

Malware Analysis

Does the instructor teach this class in person?

No, due to current restrictions with regards to the COVID-19 pandemic. In the future this may change and depend upon instructor availability.