Malicious RTF — malware analysis report

Static analysis result for SHA-256 5938087956a08429…

MALICIOUS

RTF

112.9 KB First seen: 2015-04-05
MD5: a81cdc7ba4003935eddf0bdff7b4a99e SHA-1: daaedc252acb3cf5b234fd54656e7f0e03220e47 SHA-256: 5938087956a084298762fc612f504227da549f3cc25780550d91ef0fbf046e61
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains a critical heuristic indicating exploitation of CVE-2010-3333, a known stack overflow vulnerability. This vulnerability is likely used to achieve arbitrary code execution, enabling the download and execution of further malicious content. No specific malware family could be identified from the available evidence.

Heuristics 2

  • CVE-2010-3333 — pFragments RTF stack overflow critical CVE exact CVE_2010_3333
    RTF shape property pFragments has an oversized value, matching the CVE-2010-3333 stack-overflow trigger in Microsoft Word 2002/2003.
  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'RegOpenKeyExA'
    Disassembly
    Attempted x86 opcode disassembly
    00004BAA  b093              mov al, 0x93
00004BAC  9d                popfd
00004BAD  98                cwde
00004BAE  b095              mov al, 0x95
00004BB0  9e                sahf
00004BB1  8e9d8e85bd00      mov ds, word ptr [ebp + 0xbd858e]
00004BB7  0018              add byte ptr [eax], bl
00004BB9  fd                std
00004BBA  b189              mov cl, 0x89
00004BBC  90                nop
00004BBD  8895be858899      mov byte ptr [ebp - 0x66777a42], dl
00004BC3  a893              test al, 0x93
00004BC5  ab                stosd dword ptr es:[edi], eax
00004BC6  95                xchg ebp, eax
00004BC7  98                cwde
00004BC8  99                cdq
00004BC9  bf949d8e00        mov edi, 0x8e9d94
00004BCE  09fd              or ebp, edi
00004BD0  b389              mov bl, 0x89
00004BD2  888c8988b8999e    mov byte ptr [ecx + ecx*4 - 0x61664778], cl
00004BD9  899baf888e95      mov dword ptr [ebx - 0x6a717751], ebx
00004BDF  92                xchg edx, eax
00004BE0  9b                wait
00004BE1  bd0000d0fe        mov ebp, 0xfed00000
00004BE6  ae                scasb al, byte ptr es:[edi]
00004BE7  99                cdq
00004BE8  8f                .byte 0x8f
00004BE9  899199a8948e      mov dword ptr [ecx - 0x716b5767], edx
00004BEF  99                cdq
00004BF0  9d                popfd
00004BF1  98                cwde
00004BF2  0000              add byte ptr [eax], al
00004BF4  f5                cmc
00004BF5  fe                .byte 0xfe
00004BF6  ad                lodsd eax, dword ptr [esi]
00004BF7  89998999a98f      mov dword ptr [ecx - 0x70566677], ebx
00004BFD  99                cdq
00004BFE  8e                .byte 0x8e
00004BFF  bdacbf0000        mov ebp, 0xbfac
00004C04  6afe              push -2
00004C06  af                scasd eax, dword ptr es:[edi]
00004C07  90                nop
00004C08  99                cdq
00004C09  99                cdq

Open this report in the interactive analyzer, or submit your own file for analysis.