Malicious RTF — malware analysis report

Static analysis result for SHA-256 8c26bf867e70f2e3…

MALICIOUS

RTF

48.8 KB First seen: 2015-09-21
MD5: 2e454ea0c0d3fadfc478e8695400df40 SHA-1: 0dc324cf2efae2bc7dc29fe26f616decd765d66a SHA-256: 8c26bf867e70f2e3511bd295c2c56abca51ab008b88d7a9e80b99ca240f79773
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document that exploits the CVE-2010-3333 vulnerability, a known stack overflow in Microsoft Word. This vulnerability allows for arbitrary code execution when the document is opened. The XOR-encoded strings suggest obfuscation to hide malicious payloads or commands.

Heuristics 2

  • CVE-2010-3333 — pFragments RTF stack overflow critical CVE exact CVE_2010_3333
    RTF shape property pFragments has an oversized value, matching the CVE-2010-3333 stack-overflow trigger in Microsoft Word 2002/2003.
  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'kernel32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    00001E14  97                xchg edi, eax
    00001E15  99                cdq
    00001E16  8e929990cfce      mov ss, word ptr [edx - 0x31306f67]
    00001E1C  d29890900000      rcr byte ptr [eax + 0x9090], cl
    00001E22  f700be999b95      test dword ptr [eax], 0x959b99be
    00001E28  92                xchg edx, eax
    00001E29  ac                lodsb al, byte ptr [esi]
    00001E2A  9d                popfd
    00001E2B  95                xchg ebp, eax
    00001E2C  92                xchg edx, eax
    00001E2D  8800              mov byte ptr [eax], al
    00001E2F  00a800bf8e99      add byte ptr [eax - 0x66714100], ch
    00001E35  9d                popfd
    00001E36  8899ab959298      mov byte ptr [ecx - 0x676d6a55], bl
    00001E3C  93                xchg ebx, eax
    00001E3D  8bb984bd0082      mov edi, dword ptr [ecx - 0x7dff427c]
    00001E43  00b8999aab95      add byte ptr [eax - 0x6a546567], bh
    00001E49  92                xchg edx, eax
    00001E4A  98                cwde
    00001E4B  93                xchg ebx, eax
    00001E4C  8bac8e939fbd00    mov ebp, dword ptr [esi + ecx*4 + 0xbd9f93]
    00001E53  007b00            add byte ptr [ebx], bh
    00001E56  b8998f888e        mov eax, 0x8e888f99
    00001E5B  93                xchg ebx, eax
    00001E5C  85ab95929893      test dword ptr [ebx - 0x6c676d6b], ebp
    00001E62  8b00              mov eax, dword ptr [eax]
    00001E64  7000              jo 0x1e66
    00001E66  b8958f8c9d        mov eax, 0x9d8c8f95
    00001E6B  889f94b1998f      mov byte ptr [edi - 0x70664e6c], bl
    00001E71  8f                .byte 0x8f
    00001E72  9d                popfd
    00001E73  9b                wait