Malicious RTF — malware analysis report

Static analysis result for SHA-256 861d1f7f04763e23…

MALICIOUS

RTF

867.4 KB Created: 2017-11-20 19:23:00 First seen: 2019-09-30
MD5: 151131959dc8adae41529d841044354f SHA-1: 272569aad05a8d50a6785bf772e1fff1b8d4a440 SHA-256: 861d1f7f04763e238d3b93824431c354f9b3fbf53dc34752bf312246fcce50d0
422 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data that leverages a remote loader, specifically indicating exploitation of CVE-2017-0199 or CVE-2017-8759. This mechanism is designed to download and execute a second-stage payload from a remote URL. The presence of Metasploit shellcode and references to Windows API functions like WinExec, VirtualAlloc, LoadLibrary, and GetProcAddress further confirm the malicious intent to execute arbitrary code.

Heuristics 11

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    0007107C  fc                cld
0007107D  e882000000        call 0x71104
00071082  5f                pop edi
00071083  5e                pop esi
00071084  5b                pop ebx
00071085  8be5              mov esp, ebp
00071087  5d                pop ebp
00071088  c3                ret
00071089  8d4000            lea eax, [eax]
0007108C  53                push ebx
0007108D  56                push esi
0007108E  8bd8              mov ebx, eax
00071090  3b5324            cmp edx, dword ptr [ebx + 0x24]
00071093  7436              je 0x710cb
00071095  8bf2              mov esi, edx
00071097  85f6              test esi, esi
00071099  7518              jne 0x710b3
0007109B  33c0              xor eax, eax
0007109D  8a4318            mov al, byte ptr [ebx + 0x18]
000710A0  8b048528ef4700    mov eax, dword ptr [eax*4 + 0x47ef28]
000710A7  50                push eax
000710A8  a1f06c4800        mov eax, dword ptr [0x486cf0]
000710AD  8b00              mov eax, dword ptr [eax]
000710AF  ffd0              call eax
000710B1  8bd0              mov edx, eax
000710B3  895324            mov dword ptr [ebx + 0x24], edx
000710B6  c6434401          mov byte ptr [ebx + 0x44], 1
000710BA  8b4304            mov eax, dword ptr [ebx + 4]
000710BD  e8ba060000        call 0x7177c
000710C2  85f6              test esi, esi
000710C4  7505              jne 0x710cb
000710C6  33c0              xor eax, eax
000710C8  894324            mov dword ptr [ebx + 0x24], eax
000710CB  5e                pop esi
000710CC  5b                pop ebx
000710CD  c3                ret
000710CE  8bc0              mov eax, eax
000710D0  3b5028            cmp edx, dword ptr [eax + 0x28]
000710D3  7413              je 0x710e8
000710D5  895028            mov dword ptr [eax + 0x28], edx
000710D8  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cdn.cliqueinc.com/cache/posts/253245/most-beautiful-flowers-253245-1522430141025-square.700x0c.jpg In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c568.bin rtf-objdata-decoded RTF \objdata at offset 0xC568 2598 bytes
SHA-256: a146c6985c10cbb56b61e41b392364f6f1e5bee352ccf463b85b1634b13ec499
objdata_01_off0000dc96.bin rtf-objdata-decoded RTF \objdata at offset 0xDC96 2674 bytes
SHA-256: e293e79ea09eae7ddd4701951c07de9d4affcb93fe1bb6b246b18458b3d3f766

Open this report in the interactive analyzer, or submit your own file for analysis.