RTF malware analysis — malicious · 766dc9c53d06ff93

MALICIOUS

RTF

238.3 KB Created: 2005-03-09 11:09:00 First seen: 2012-06-14

MD5: d031bc932d20ffb98c7c70dceca410b4 SHA-1: e133a3ef974bcc2d92d8111df38b267d3a51c3da SHA-256: 766dc9c53d06ff9352be3f5df7a6a1300cde01c893c1d078b92c63ecdbe53968

202 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment

The RTF file contains a high-severity heuristic indicating remote template injection, targeting the URL http://zz815.topcities.com//model.dot. This technique is often used to download and execute malicious content. References to VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress APIs suggest the file is preparing to load and run code from an external source.

Heuristics 7

Remote template injection (\*\template → remote URL) high CVE related RTF_REMOTE_TEMPLATE

The RTF's \*\template destination is a remote URL/UNC path. When Word opens the document it fetches and loads that template, which can carry macros or an exploit, deliver a scriptlet/HTA, or leak NTLM credentials over UNC. Benign documents attach only a local template, so a remote \*\template target is template-injection delivery (MITRE T1221). remote \*\template target (Word fetches it on open).

x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EBX)

Disassembly

Attempted x86 opcode disassembly

000377C9  e800000000        call 0x377ce
000377CE  5b                pop ebx
000377CF  b92f894000        mov ecx, 0x40892f
000377D4  81e92c864000      sub ecx, 0x40862c
000377DA  03d9              add ebx, ecx
000377DC  50                push eax
000377DD  53                push ebx
000377DE  e83d020000        call 0x37a20
000377E3  61                popal
000377E4  03bddefdffff      add edi, dword ptr [ebp - 0x222]
000377EA  8bdf              mov ebx, edi
000377EC  833f00            cmp dword ptr [edi], 0
000377EF  750a              jne 0x377fb
000377F1  83c704            add edi, 4
000377F4  b900000000        mov ecx, 0
000377F9  eb16              jmp 0x37811
000377FB  b901000000        mov ecx, 1
00037800  033b              add edi, dword ptr [ebx]
00037802  83c304            add ebx, 4
00037805  833b00            cmp dword ptr [ebx], 0
00037808  742d              je 0x37837
0003780A  0113              add dword ptr [ebx], edx
0003780C  8b33              mov esi, dword ptr [ebx]
0003780E  037b04            add edi, dword ptr [ebx + 4]
00037811  57                push edi
00037812  51                push ecx
00037813  52                push edx
00037814  53                push ebx
00037815  ffb536feffff      push dword ptr [ebp - 0x1ca]
0003781B  ffb532feffff      push dword ptr [ebp - 0x1ce]
00037821  56                push esi
00037822  57                push edi
00037823  ff95fafdffff      call dword ptr [ebp - 0x206]

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.debates.org/pages/trans2004a.html.[7 In RTF body
- http://www.cuhk.edu.hk/ics/21c/supplem/essay/040313a.htmIn RTF body
- http://www.debates.org/pages/trans2004a.htmlIn RTF body
- http://eserver.org/marx/1848-communist.manifesto/cm4.txtIn RTF body
- http://english.epochtimes.com/news/4-7-14/22421.html).[7In RTF body
- http://zz815.topcities.com//model.dotIn RTF body
- http://english.epochtimes.com/news/4-7-14/22421.htmlIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.