Malicious RTF — malware analysis report

Static analysis result for SHA-256 6cac3774a1300c03…

MALICIOUS

RTF

804.9 KB First seen: 2018-03-04
MD5: 0b00989c07114fd3cc0b7e0c35cfc11a SHA-1: cf86f1f8f23b7d353d5f821c1dc8d139070fdb19 SHA-256: 6cac3774a1300c039e75502ca10446dd33919fa8d3a8dd4ad1236617b5809144
450 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The RTF document contains OLE object data that triggers remote code execution via CVE-2017-0199 or CVE-2017-8759. It attempts to download a payload from http://mail-serv2.com/vbx/t.php?stats=send&thread=0, which is consistent with Metasploit reverse shellcode. The document body's language suggests a fake invoice lure, further supporting a malicious intent.

Heuristics 13

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    0005B475  fc                cld
    0005B476  e882000000        call 0x5b4fd
    0005B47B  5f                pop edi
    0005B47C  5e                pop esi
    0005B47D  5b                pop ebx
    0005B47E  8be5              mov esp, ebp
    0005B480  5d                pop ebp
    0005B481  c3                ret
    0005B482  8d4000            lea eax, [eax]
    0005B485  53                push ebx
    0005B486  56                push esi
    0005B487  8bd8              mov ebx, eax
    0005B489  3b5324            cmp edx, dword ptr [ebx + 0x24]
    0005B48C  7436              je 0x5b4c4
    0005B48E  8bf2              mov esi, edx
    0005B490  85f6              test esi, esi
    0005B492  7518              jne 0x5b4ac
    0005B494  33c0              xor eax, eax
    0005B496  8a4318            mov al, byte ptr [ebx + 0x18]
    0005B499  8b0485942c4600    mov eax, dword ptr [eax*4 + 0x462c94]
    0005B4A0  50                push eax
    0005B4A1  a1fc9b4600        mov eax, dword ptr [0x469bfc]
    0005B4A6  8b00              mov eax, dword ptr [eax]
    0005B4A8  ffd0              call eax
    0005B4AA  8bd0              mov edx, eax
    0005B4AC  895324            mov dword ptr [ebx + 0x24], edx
    0005B4AF  c6434401          mov byte ptr [ebx + 0x44], 1
    0005B4B3  8b4304            mov eax, dword ptr [ebx + 4]
    0005B4B6  e8ba060000        call 0x5bb75
    0005B4BB  85f6              test esi, esi
    0005B4BD  7505              jne 0x5b4c4
    0005B4BF  33c0              xor eax, eax
    0005B4C1  894324            mov dword ptr [ebx + 0x24], eax
    0005B4C4  5e                pop esi
    0005B4C5  5b                pop ebx
    0005B4C6  c3                ret
    0005B4C7  8bc0              mov eax, eax
    0005B4C9  3b5028            cmp edx, dword ptr [eax + 0x28]
    0005B4CC  7413              je 0x5b4e1
    0005B4CE  895028            mov dword ptr [eax + 0x28], edx
    0005B4D1  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mail-serv2.com/vbx/t.php?stats=send&thread=0 In RTF body
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c568.bin rtf-objdata-decoded RTF \objdata at offset 0xC568 2598 bytes
SHA-256: 7a51cc58b43040b7f5e56cc66bbd7937098706728b504cb7219f50f43cd3c4cc
objdata_01_off0000dc96.bin rtf-objdata-decoded RTF \objdata at offset 0xDC96 2674 bytes
SHA-256: 604e73beddf6f554636100a7cfc81901fad1ecba5403b54b60a45aebb39c16ea