Malicious RTF — malware analysis report

Static analysis result for SHA-256 1ed2e40b875df959…

MALICIOUS

RTF

732.9 KB Created: 2017-11-20 19:23:00 First seen: 2017-12-09
MD5: db282b903014ca47dea101fffe60a6c0 SHA-1: 323b61f5127a9d55f6a57d4c817d16c6e74cafc8 SHA-256: 1ed2e40b875df95906ba9a8e46831170b9626ef6dc17bb7177f643febeb67bd6
382 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data that triggers remote loading via CVE-2017-0199 or CVE-2017-8759. The embedded URL 'http://kinesk.com/t/t.php?stats=send&thread=1' is used to download a secondary payload. Metasploit reverse shellcode was also detected, indicating the likely intent is to establish a reverse shell connection.

Heuristics 10

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    0006BC1F  fc                cld
0006BC20  e882000000        call 0x6bca7
0006BC25  5f                pop edi
0006BC26  5e                pop esi
0006BC27  5b                pop ebx
0006BC28  8be5              mov esp, ebp
0006BC2A  5d                pop ebp
0006BC2B  c3                ret
0006BC2C  8d4000            lea eax, [eax]
0006BC2F  53                push ebx
0006BC30  56                push esi
0006BC31  8bd8              mov ebx, eax
0006BC33  3b5324            cmp edx, dword ptr [ebx + 0x24]
0006BC36  7436              je 0x6bc6e
0006BC38  8bf2              mov esi, edx
0006BC3A  85f6              test esi, esi
0006BC3C  7518              jne 0x6bc56
0006BC3E  33c0              xor eax, eax
0006BC40  8a4318            mov al, byte ptr [ebx + 0x18]
0006BC43  8b0485f8ed4600    mov eax, dword ptr [eax*4 + 0x46edf8]
0006BC4A  50                push eax
0006BC4B  a1846a4700        mov eax, dword ptr [0x476a84]
0006BC50  8b00              mov eax, dword ptr [eax]
0006BC52  ffd0              call eax
0006BC54  8bd0              mov edx, eax
0006BC56  895324            mov dword ptr [ebx + 0x24], edx
0006BC59  c6434401          mov byte ptr [ebx + 0x44], 1
0006BC5D  8b4304            mov eax, dword ptr [ebx + 4]
0006BC60  e8ba060000        call 0x6c31f
0006BC65  85f6              test esi, esi
0006BC67  7505              jne 0x6bc6e
0006BC69  33c0              xor eax, eax
0006BC6B  894324            mov dword ptr [ebx + 0x24], eax
0006BC6E  5e                pop esi
0006BC6F  5b                pop ebx
0006BC70  c3                ret
0006BC71  8bc0              mov eax, eax
0006BC73  3b5028            cmp edx, dword ptr [eax + 0x28]
0006BC76  7413              je 0x6bc8b
0006BC78  895028            mov dword ptr [eax + 0x28], edx
0006BC7B  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kinesk.com/t/t.php?stats=send&thread=1 In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c568.bin rtf-objdata-decoded RTF \objdata at offset 0xC568 2598 bytes
SHA-256: a146c6985c10cbb56b61e41b392364f6f1e5bee352ccf463b85b1634b13ec499
objdata_01_off0000dc96.bin rtf-objdata-decoded RTF \objdata at offset 0xDC96 2674 bytes
SHA-256: e293e79ea09eae7ddd4701951c07de9d4affcb93fe1bb6b246b18458b3d3f766

Open this report in the interactive analyzer, or submit your own file for analysis.