Malicious RTF — malware analysis report

Static analysis result for SHA-256 62da487b5445f95f…

MALICIOUS

RTF

818.5 KB Created: 2017-11-20 19:23:00 First seen: 2019-11-20
MD5: 5047f9e2434394bafcebfbbd85fb1a75 SHA-1: e76cea25d27c255c4d7b85a4c2d26be606d8701a SHA-256: 62da487b5445f95f48f407a288684488cb468470ec30d4de1111f9be496a3067
422 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The RTF file contains OLE object data that leverages CVE-2017-0199 or CVE-2017-8759 to automatically activate a remote loader. This loader attempts to download a payload from the URL http://kinesk.com/t/t.php?stats=send&thread=1. Metasploit reverse shellcode was also detected within the file, indicating a likely post-exploitation objective.

Heuristics 11

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    00064CAE  fc                cld
    00064CAF  e882000000        call 0x64d36
    00064CB4  5f                pop edi
    00064CB5  5e                pop esi
    00064CB6  5b                pop ebx
    00064CB7  8be5              mov esp, ebp
    00064CB9  5d                pop ebp
    00064CBA  c3                ret
    00064CBB  8d4000            lea eax, [eax]
    00064CBE  53                push ebx
    00064CBF  56                push esi
    00064CC0  8bd8              mov ebx, eax
    00064CC2  3b5324            cmp edx, dword ptr [ebx + 0x24]
    00064CC5  7436              je 0x64cfd
    00064CC7  8bf2              mov esi, edx
    00064CC9  85f6              test esi, esi
    00064CCB  7518              jne 0x64ce5
    00064CCD  33c0              xor eax, eax
    00064CCF  8a4318            mov al, byte ptr [ebx + 0x18]
    00064CD2  8b048528ef4700    mov eax, dword ptr [eax*4 + 0x47ef28]
    00064CD9  50                push eax
    00064CDA  a1f06c4800        mov eax, dword ptr [0x486cf0]
    00064CDF  8b00              mov eax, dword ptr [eax]
    00064CE1  ffd0              call eax
    00064CE3  8bd0              mov edx, eax
    00064CE5  895324            mov dword ptr [ebx + 0x24], edx
    00064CE8  c6434401          mov byte ptr [ebx + 0x44], 1
    00064CEC  8b4304            mov eax, dword ptr [ebx + 4]
    00064CEF  e8ba060000        call 0x653ae
    00064CF4  85f6              test esi, esi
    00064CF6  7505              jne 0x64cfd
    00064CF8  33c0              xor eax, eax
    00064CFA  894324            mov dword ptr [ebx + 0x24], eax
    00064CFD  5e                pop esi
    00064CFE  5b                pop ebx
    00064CFF  c3                ret
    00064D00  8bc0              mov eax, eax
    00064D02  3b5028            cmp edx, dword ptr [eax + 0x28]
    00064D05  7413              je 0x64d1a
    00064D07  895028            mov dword ptr [eax + 0x28], edx
    00064D0A  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kinesk.com/t/t.php?stats=send&thread=1 In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000001d7.bin rtf-objdata-decoded RTF \objdata at offset 0x1D7 2598 bytes
SHA-256: a146c6985c10cbb56b61e41b392364f6f1e5bee352ccf463b85b1634b13ec499
objdata_01_off00001905.bin rtf-objdata-decoded RTF \objdata at offset 0x1905 2674 bytes
SHA-256: e293e79ea09eae7ddd4701951c07de9d4affcb93fe1bb6b246b18458b3d3f766