Malicious RTF — malware analysis report

Static analysis result for SHA-256 00c95da548791d2f…

MALICIOUS

RTF

90.5 KB First seen: 2015-09-16
MD5: 401339da1df73687e8b75a8f54454cd0 SHA-1: 8d49749364bbdf89964d5377bbf32378162ee0e0 SHA-256: 00c95da548791d2fb3c9a6078703f46b3f1a91c7c112d171e80b9a3b0caba9c1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and triggers the CVE-2012-0158 heuristic, indicating exploitation of a vulnerability in MSCOMCTL.ListView. The XOR-encoded strings suggest obfuscation, likely to hide a malicious payload or script. The embedded objdata is the primary indicator of malicious activity, pointing towards an exploit designed to execute arbitrary code.

Heuristics 3

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
    Disassembly
    Attempted x86 opcode disassembly
    0000AC59  b093              mov al, 0x93
0000AC5B  9d                popfd
0000AC5C  98                cwde
0000AC5D  b095              mov al, 0x95
0000AC5F  9e                sahf
0000AC60  8e9d8e85bd00      mov ds, word ptr [ebp + 0xbd858e]
0000AC66  0049fe            add byte ptr [ecx - 2], cl
0000AC69  b592              mov ch, 0x92
0000AC6B  95                xchg ebp, eax
0000AC6C  88959d909586      mov byte ptr [ebp - 0x796a6f63], dl
0000AC72  99                cdq
0000AC73  bf8e958895        mov edi, 0x9588958e
0000AC78  9f                lahf
0000AC79  9d                popfd
0000AC7A  90                nop
0000AC7B  af                scasd eax, dword ptr es:[edi]
0000AC7C  99                cdq
0000AC7D  9f                lahf
0000AC7E  88959392bd92      mov byte ptr [ebp - 0x6d426d6d], dl
0000AC84  98                cwde
0000AC85  af                scasd eax, dword ptr es:[edi]
0000AC86  8c9592bf9389      mov word ptr [ebp - 0x766c406e], ss
0000AC8C  92                xchg edx, eax
0000AC8D  8800              mov byte ptr [eax], al
0000AC8F  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
0000AC90  fd                std
0000AC91  bb9988bfac        mov ebx, 0xacbf8899
0000AC96  b592              mov ch, 0x92
0000AC98  9a9300aefdbb99    lcall 0x99bb, 0xfdae0093
0000AC9F  88bdbfac0000      mov byte ptr [ebp + 0xacbf], bh
0000ACA5  ef                out dx, eax
0000ACA6  fe                .byte 0xfe
0000ACA7  bb9988b3b9        mov ebx, 0xb9b38899
0000ACAC  b1bf              mov cl, 0xbf
0000ACAE  ac                lodsb al, byte ptr [esi]
0000ACAF  0000              add byte ptr [eax], al
0000ACB1  27                daa
0000ACB2  fe                .byte 0xfe
0000ACB3  b58f              mov ch, 0x8f
0000ACB5  aa                stosb byte ptr es:[edi], al
0000ACB6  9d                popfd
0000ACB7  90                nop
0000ACB8  95                xchg ebp, eax
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007a.bin rtf-objdata-decoded RTF \objdata at offset 0x7A 4593 bytes
SHA-256: 86e750c1e721b16acb315f86f47512d834951570f77bd66b6ea617b2154188e6

Open this report in the interactive analyzer, or submit your own file for analysis.