Malicious RTF — malware analysis report

Static analysis result for SHA-256 71ebcb5d3bcb92a8…

MALICIOUS

RTF

164.2 KB First seen: 2017-12-09
MD5: 09734fef7919934a5ad6b4a1236db5f6 SHA-1: 8fe165eb2bf4009180387aab912199608c74fb0b SHA-256: 71ebcb5d3bcb92a82d025e4294f80c4d89e51fede752cce2fb59aa084db4e752
422 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The RTF file contains OLE object data that leverages remote loader functionality, specifically referencing CVE-2017-0199 and CVE-2017-8759. It attempts to download a secondary payload from the URL http://roessler.cc/t/t.php?stats=send&thread=0. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the execution of downloaded code. The XOR-encoded strings further support the presence of obfuscated malicious content.

Heuristics 11

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • XOR-encoded strings (key 0x71) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x71: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
    Disassembly
    Attempted x86 opcode disassembly
    0001290E  3d1e10153d        cmp eax, 0x3d15101e
00012913  1813              sbb byte ptr [ebx], dl
00012915  0310              add edx, dword ptr [eax]
00012917  0308              add ecx, dword ptr [eax]
00012919  3071f2            xor byte ptr [ecx - 0xe], dh
0001291C  b172              mov cl, 0x72
0001291E  f8                clc
0001291F  f4                hlt
00012920  6d                insd dword ptr es:[edi], dx
00012921  8e8e8e29faf4      mov cs, word ptr [esi - 0xb05d672]
00012927  6d                insd dword ptr es:[edi], dx
00012928  8e8e8e21fa3c      mov cs, word ptr [esi + 0x3cfa218e]
0001292E  81208e24adf8      and dword ptr [eax], 0xf8ad248e
00012934  f4                hlt
00012935  49                dec ecx
00012936  8e8e8e219971      mov cs, word ptr [esi + 0x7199218e]
0001293C  7171              jno 0x129af
0001293E  7129              jno 0x12969
00012940  9a7c2718030504    lcall 0x405, 0x318277c
00012947  101d301d1d1e      adc byte ptr [0x1e1d1d30], bl
0001294D  1271f2            adc dh, byte ptr [ecx - 0xe]
00012950  b172              mov cl, 0x72
00012952  f8                clc
00012953  f4                hlt
00012954  4d                dec ebp
00012955  8e8e8e29fae4      mov cs, word ptr [esi - 0x1b05d672]
0001295B  4d                dec ebp
0001295C  8e8e8e23fa34      mov cs, word ptr [esi + 0x34fa238e]
00012962  81218e24adf8      and dword ptr [ecx], 0xf8ad248e
00012968  34cd              xor al, 0xcd
0001296A  21                .byte 0x21
0001296B  99                cdq
0001296C  7171              jno 0x129df
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://roessler.cc/t/t.php?stats=send&thread=0 In RTF body
    • http://schemas.microsoft.com/SMI/2005/WindowsSettingsIn RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c568.bin rtf-objdata-decoded RTF \objdata at offset 0xC568 2598 bytes
SHA-256: 826a60b73baba7b56e194d2aa457ef4ab8fc56e8f500ead96b9a1ca68a6d5554
objdata_01_off0000dc96.bin rtf-objdata-decoded RTF \objdata at offset 0xDC96 2674 bytes
SHA-256: 19e4ce1f961cddb3b8140f45823ef3e55fe4d9e4773a2d7b33e6093846bae677

Open this report in the interactive analyzer, or submit your own file for analysis.