MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is an RTF file that contains embedded OLE objects and triggers heuristics for CVE-2012-0158 and CVE-2014-1761, indicating exploitation of known vulnerabilities. The XOR-encoded strings and PEB access suggest obfuscation and anti-analysis techniques. The embedded URL points to a likely second-stage executable payload.
Heuristics 6
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
ClamAV: Rtf.Exploit.Cve_2014_1761-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.Cve_2014_1761-2
-
XOR-encoded strings (key 0xF3) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0xF3: 'advapi32.dll', 'advapi32.dll'
Disassembly
Attempted x86 opcode disassembly00008845 92 xchg edx, eax 00008846 97 xchg edi, eax 00008847 8592839ac0c1 test dword ptr [edx - 0x3e3f657d], edx 0000884D dd979f9f0080 fst qword ptr [edi - 0x7fff6061] 00008853 8799989a9bdb xchg dword ptr [ecx - 0x24646568], ebx 00008859 91 xchg ecx, eax 0000885A 99 cdq 0000885B 99 cdq 0000885C 009c90c9e38fcd add byte ptr [eax + edx*4 - 0x32701c37], bl 00008863 97 xchg edi, eax 00008864 8f .byte 0x8f 00008865 89cb mov ebx, ecx 00008867 61 popal 00008868 d0359f39a600 sal byte ptr [0xa6399f], 1 0000886E f695abfd10df not byte ptr [ebp - 0x20ef0255] 00008874 6f outsd dx, dword ptr [esi] 00008875 9f lahf 00008876 7a97 jp 0x880f 00008878 6ac0 push -0x40 0000887A 1f pop ds 0000887B 75a9 jne 0x8826 0000887D 649d popfd 0000887F 9d popfd 00008880 e0df loopne 0x8861 00008882 b652 mov dh, 0x52 00008884 aa stosb byte ptr es:[edi], al 00008885 d6 salc 00008886 df .byte 0xdf 00008887 ce into 00008888 79c0 jns 0x884a 0000888A 7b1c jnp 0x88a8 0000888C 74e9 je 0x8877 0000888E 32f0 xor dh, al 00008890 e6ed out 0xed, al 00008892 755f jne 0x88f3 00008894 ef out dx, eax 00008895 7758 ja 0x88ef 00008897 d14ae2 ror dword ptr [edx - 0x1e], 1 0000889A 91 xchg ecx, eax 0000889B b740 mov bh, 0x40 0000889D 60 pushal 0000889E c5 .byte 0xc5 0000889F c9 leave 000088A0 4d dec ebp 000088A1 16 push ss 000088A2 ec in al, dx 000088A3 1a00 sbb al, byte ptr [eax]
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly0000AF88 64a130000000 mov eax, dword ptr fs:[0x30] 0000AF8E 8a4002 mov al, byte ptr [eax + 2] 0000AF91 84c0 test al, al 0000AF93 61 popal 0000AF94 0f852e010000 jne 0xb0c8 0000AF9A 0f8428010000 je 0xb0c8 0000AFA0 3f aas 0000AFA1 d6 salc 0000AFA2 5b pop ebx 0000AFA3 58 pop eax 0000AFA4 47 inc edi 0000AFA5 59 pop ecx 0000AFA6 692d3730a6347f7064e8 imul ebp, dword ptr [0x34a63037], 0xe864707f 0000AFB0 1e push ds 0000AFB1 8b6b77 mov ebp, dword ptr [ebx + 0x77] 0000AFB4 67e850ea13aa call 0xaa149a0a 0000AFBA 7d14 jge 0xafd0 0000AFBC 97 xchg edi, eax 0000AFBD 44 inc esp 0000AFBE 30a5a31a01a7 xor byte ptr [ebp - 0x58fee55d], ah 0000AFC4 4e dec esi 0000AFC5 f65def neg byte ptr [ebp - 0x11] 0000AFC8 c6 .byte 0xc6 0000AFC9 7274 jb 0xb03f 0000AFCB 6ae9 push -0x17 0000AFCD 108d9c1cc20f adc byte ptr [ebp + 0xfc21c9c], cl 0000AFD3 f254 push esp 0000AFD5 4b dec ebx 0000AFD6 bce71b4f92 mov esp, 0x924f1be7 0000AFDB 6f outsd dx, dword ptr [esi] 0000AFDC 95 xchg ebp, eax 0000AFDD 3b3d1deb1169 cmp edi, dword ptr [0x6911eb1d] 0000AFE3 5e pop esi 0000AFE4 8cc8 mov eax, cs 0000AFE6 b5fb mov ch, 0xfb
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://173.208.195.150/gu/s.exe In RTF body
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000080.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x80 | 123 bytes |
SHA-256: 918283222db1827a77e00779d9efe012c7f35cc8b628b0dbde5443f8fff278b1 |
|||
objdata_01_off000001c9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1C9 | 40 bytes |
SHA-256: 37aa5fe751e5aba26b25a2c786f2c29b5f3208f7759cb31145ae2630179935b8 |
|||
objdata_02_off00000231.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x231 | 5753 bytes |
SHA-256: 91b8a3ee2ca2e801d267aad45c9b5cf3b035dbbdc3484d46bf7adf23468bedd9 |
|||
objdata_03_off00000292.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x292 | 2356 bytes |
SHA-256: 0b630dc0bfc216a86fd403651e917f48be40261ed9d4e6ae457652dbcc4bbb7a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.