Malicious RTF — malware analysis report

Static analysis result for SHA-256 3f69f7f7ad3e9c5b…

MALICIOUS

RTF

288.9 KB First seen: 2015-09-30
MD5: 92a6a0989766b586e2c37460c9dea9e0 SHA-1: ab151715009b7d4f366294df1d210f2f8bde02a5 SHA-256: 3f69f7f7ad3e9c5bfc70cd86477b1dd68c9fede0fbb915206870ba938f1a0445
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains an embedded OLE object, identified as a critical heuristic for CVE-2012-0158. This exploit targets the MSCOMCTL.ListView control, indicating the file is designed to execute arbitrary code. The presence of XOR-encoded strings further suggests obfuscation to hide malicious content, likely a downloader for a secondary payload.

Heuristics 3

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryW', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress'
    Disassembly
    Attempted x86 opcode disassembly
    0000ADDB  b093              mov al, 0x93
    0000ADDD  9d                popfd
    0000ADDE  98                cwde
    0000ADDF  b095              mov al, 0x95
    0000ADE1  9e                sahf
    0000ADE2  8e9d8e85bd00      mov ds, word ptr [ebp + 0xbd858e]
    0000ADE8  0049fe            add byte ptr [ecx - 2], cl
    0000ADEB  b592              mov ch, 0x92
    0000ADED  95                xchg ebp, eax
    0000ADEE  88959d909586      mov byte ptr [ebp - 0x796a6f63], dl
    0000ADF4  99                cdq
    0000ADF5  bf8e958895        mov edi, 0x9588958e
    0000ADFA  9f                lahf
    0000ADFB  9d                popfd
    0000ADFC  90                nop
    0000ADFD  af                scasd eax, dword ptr es:[edi]
    0000ADFE  99                cdq
    0000ADFF  9f                lahf
    0000AE00  88959392bd92      mov byte ptr [ebp - 0x6d426d6d], dl
    0000AE06  98                cwde
    0000AE07  af                scasd eax, dword ptr es:[edi]
    0000AE08  8c9592bf9389      mov word ptr [ebp - 0x766c406e], ss
    0000AE0E  92                xchg edx, eax
    0000AE0F  8800              mov byte ptr [eax], al
    0000AE11  61                popal
    0000AE12  fe                .byte 0xfe
    0000AE13  b499              mov ah, 0x99
    0000AE15  9d                popfd
    0000AE16  8c                .byte 0x8c
    0000AE17  bd9090939f        mov ebp, 0x9f939090
    0000AE1C  0058fe            add byte ptr [eax - 2], bl
    0000AE1F  b499              mov ah, 0x99
    0000AE21  9d                popfd
    0000AE22  8cae99bd9090      mov word ptr [esi - 0x6f6f4267], gs
    0000AE28  93                xchg ebx, eax
    0000AE29  9f                lahf
    0000AE2A  0014fdbb9988b0    add byte ptr [edi*8 - 0x4f776645], dl
    0000AE31  93                xchg ebx, eax
    0000AE32  9f                lahf
    0000AE33  9d                popfd
    0000AE34  90                nop
    0000AE35  99                cdq
    0000AE36  b592              mov ch, 0x92
    0000AE38  9a                .byte 0x9a
    0000AE39  93                xchg ebx, eax
    0000AE3A  bd                .byte 0xbd
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000006e.bin rtf-objdata-decoded RTF \objdata at offset 0x6E 3893 bytes
SHA-256: 24ab7d449ad81a3dab2d4ad56d1ea549d7c30b3d1272df65c021577ac39943b2