Malicious RTF — malware analysis report

Static analysis result for SHA-256 0bff6e2028cce615…

MALICIOUS

RTF

818.4 KB Created: 2017-11-20 19:23:00 First seen: 2019-02-26
MD5: 001cfd370eecd48b46c22677d6480d0b SHA-1: b3afb1b7adb6b6f7c789d10a1beb9b00f4a6aa44 SHA-256: 0bff6e2028cce61547613a4c9bf82e167de538d7ff16a8c203413524e25452ad
380 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data that is force-activated via \objupdate, exploiting CVE-2017-0199 or CVE-2017-8759. This mechanism is used to load and execute a secondary payload, indicated by Metasploit reverse shellcode and references to WinExec, VirtualAlloc, and LoadLibrary APIs. The ClamAV detection name further supports its role as a downloader.

Heuristics 9

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage — through an INCLUDETEXT/INCLUDEPICTURE field or the OLE object's own moniker. This is the OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    00064C2C  fc                cld
    00064C2D  e882000000        call 0x64cb4
    00064C32  5f                pop edi
    00064C33  5e                pop esi
    00064C34  5b                pop ebx
    00064C35  8be5              mov esp, ebp
    00064C37  5d                pop ebp
    00064C38  c3                ret
    00064C39  8d4000            lea eax, [eax]
    00064C3C  53                push ebx
    00064C3D  56                push esi
    00064C3E  8bd8              mov ebx, eax
    00064C40  3b5324            cmp edx, dword ptr [ebx + 0x24]
    00064C43  7436              je 0x64c7b
    00064C45  8bf2              mov esi, edx
    00064C47  85f6              test esi, esi
    00064C49  7518              jne 0x64c63
    00064C4B  33c0              xor eax, eax
    00064C4D  8a4318            mov al, byte ptr [ebx + 0x18]
    00064C50  8b048528ef4700    mov eax, dword ptr [eax*4 + 0x47ef28]
    00064C57  50                push eax
    00064C58  a1f06c4800        mov eax, dword ptr [0x486cf0]
    00064C5D  8b00              mov eax, dword ptr [eax]
    00064C5F  ffd0              call eax
    00064C61  8bd0              mov edx, eax
    00064C63  895324            mov dword ptr [ebx + 0x24], edx
    00064C66  c6434401          mov byte ptr [ebx + 0x44], 1
    00064C6A  8b4304            mov eax, dword ptr [ebx + 4]
    00064C6D  e8ba060000        call 0x6532c
    00064C72  85f6              test esi, esi
    00064C74  7505              jne 0x64c7b
    00064C76  33c0              xor eax, eax
    00064C78  894324            mov dword ptr [ebx + 0x24], eax
    00064C7B  5e                pop esi
    00064C7C  5b                pop ebx
    00064C7D  c3                ret
    00064C7E  8bc0              mov eax, eax
    00064C80  3b5028            cmp edx, dword ptr [eax + 0x28]
    00064C83  7413              je 0x64c98
    00064C85  895028            mov dword ptr [eax + 0x28], edx
    00064C88  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000001d7.bin rtf-objdata-decoded RTF \objdata at offset 0x1D7 2598 bytes
SHA-256: a146c6985c10cbb56b61e41b392364f6f1e5bee352ccf463b85b1634b13ec499
objdata_01_off00001905.bin rtf-objdata-decoded RTF \objdata at offset 0x1905 2674 bytes
SHA-256: e293e79ea09eae7ddd4701951c07de9d4affcb93fe1bb6b246b18458b3d3f766