Malicious RTF — malware analysis report

Heuristics 13

• CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
  RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
• ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
• Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
  Reference to WriteProcessMemory API
• PEB access via FS segment (x86) high SC_PEB_ACCESS
  PEB access via FS segment (x86)
  Disassembly

  Attempted x86 opcode disassembly

  0001EB2E  64a130000000      mov eax, dword ptr fs:[0x30]
  0001EB34  8b4068            mov eax, dword ptr [eax + 0x68]
  0001EB37  c1e808            shr eax, 8
  0001EB3A  a801              test al, 1
  0001EB3C  7510              jne 0x1eb4e
  0001EB3E  ff7508            push dword ptr [ebp + 8]
  0001EB41  ff15c0204200      call dword ptr [0x4220c0]
  0001EB47  50                push eax
  0001EB48  ff15c4204200      call dword ptr [0x4220c4]
  0001EB4E  ff7508            push dword ptr [ebp + 8]
  0001EB51  e84f000000        call 0x1eba5
  0001EB56  59                pop ecx
  0001EB57  ff7508            push dword ptr [ebp + 8]
  0001EB5A  ff15ec204200      call dword ptr [0x4220ec]
  0001EB60  cc                int3
  0001EB61  6a00              push 0
  0001EB63  ff1568204200      call dword ptr [0x422068]
  0001EB69  8bc8              mov ecx, eax
  0001EB6B  85c9              test ecx, ecx
  0001EB6D  7503              jne 0x1eb72
  0001EB6F  32c0              xor al, al
  0001EB71  c3                ret
  0001EB72  b84d5a0000        mov eax, 0x5a4d
  0001EB77  663901            cmp word ptr [ecx], ax
  0001EB7A  75f3              jne 0x1eb6f
  0001EB7C  8b413c            mov eax, dword ptr [ecx + 0x3c]
  0001EB7F  03c1              add eax, ecx
  0001EB81  813850450000      cmp dword ptr [eax], 0x4550
  0001EB87  75e6              jne 0x1eb6f
  0001EB89  b90b010000        mov ecx, 0x10b

• Reference to CreateProcess API high SC_STR_CREATEPROCESS
  Reference to CreateProcess API
• Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
  Suspicious cmd.exe invocation with execution flag
• Reference to LoadLibrary API high SC_STR_LOADLIBRARY
  Reference to LoadLibrary API
• Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
  Reference to GetProcAddress API
• \objupdate forces OLE activation high RTF_OBJUPDATE
  RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
• INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
  RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
• Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
  Reference to VirtualAlloc API
• OLE object data medium RTF_OBJDATA
  RTF contains 2 \objdata section(s) — embedded OLE objects
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://new.wex-online.co/d/u.php?stats=send&thread=0 In RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.