MALICIOUS
422
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
The RTF file contains OLE object data that leverages CVE-2017-0199 or CVE-2017-8759 to automatically activate a remote loader. This loader attempts to download a payload from the URL http://kinesk.com/t/t.php?stats=send&thread=1. Metasploit reverse shellcode was also detected within the file, indicating a likely post-exploitation objective.
Heuristics 11
-
CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical RTF_OLE2LINK_REMOTE_MONIKER_LOADERRTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
-
ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
-
Metasploit reverse_tcp shellcode critical SC_MSF_REVERSEMetasploit reverse_tcp shellcode
Disassembly
Attempted x86 opcode disassembly00064CAE fc cld 00064CAF e882000000 call 0x64d36 00064CB4 5f pop edi 00064CB5 5e pop esi 00064CB6 5b pop ebx 00064CB7 8be5 mov esp, ebp 00064CB9 5d pop ebp 00064CBA c3 ret 00064CBB 8d4000 lea eax, [eax] 00064CBE 53 push ebx 00064CBF 56 push esi 00064CC0 8bd8 mov ebx, eax 00064CC2 3b5324 cmp edx, dword ptr [ebx + 0x24] 00064CC5 7436 je 0x64cfd 00064CC7 8bf2 mov esi, edx 00064CC9 85f6 test esi, esi 00064CCB 7518 jne 0x64ce5 00064CCD 33c0 xor eax, eax 00064CCF 8a4318 mov al, byte ptr [ebx + 0x18] 00064CD2 8b048528ef4700 mov eax, dword ptr [eax*4 + 0x47ef28] 00064CD9 50 push eax 00064CDA a1f06c4800 mov eax, dword ptr [0x486cf0] 00064CDF 8b00 mov eax, dword ptr [eax] 00064CE1 ffd0 call eax 00064CE3 8bd0 mov edx, eax 00064CE5 895324 mov dword ptr [ebx + 0x24], edx 00064CE8 c6434401 mov byte ptr [ebx + 0x44], 1 00064CEC 8b4304 mov eax, dword ptr [ebx + 4] 00064CEF e8ba060000 call 0x653ae 00064CF4 85f6 test esi, esi 00064CF6 7505 jne 0x64cfd 00064CF8 33c0 xor eax, eax 00064CFA 894324 mov dword ptr [ebx + 0x24], eax 00064CFD 5e pop esi 00064CFE 5b pop ebx 00064CFF c3 ret 00064D00 8bc0 mov eax, eax 00064D02 3b5028 cmp edx, dword ptr [eax + 0x28] 00064D05 7413 je 0x64d1a 00064D07 895028 mov dword ptr [eax + 0x28], edx 00064D0A c6402c00 mov byte ptr [eax + 0x2c], 0
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTERTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://kinesk.com/t/t.php?stats=send&thread=1 In RTF body
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000001d7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1D7 | 2598 bytes |
SHA-256: a146c6985c10cbb56b61e41b392364f6f1e5bee352ccf463b85b1634b13ec499 |
|||
objdata_01_off00001905.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1905 | 2674 bytes |
SHA-256: e293e79ea09eae7ddd4701951c07de9d4affcb93fe1bb6b246b18458b3d3f766 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.