Malicious RTF — malware analysis report

Static analysis result for SHA-256 a07e1a809c43ed81…

MALICIOUS

RTF

144.5 KB First seen: 2015-09-16
MD5: 2262328210fece23b17359806e579ca0 SHA-1: 7d297fa6d028f184646228c07037fb7fd85d7e54 SHA-256: a07e1a809c43ed81933b4102fb3f75dcbdd989afcc2016cd3084b40b8614a922
280 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is an RTF document that contains OLE object data and triggers heuristics related to CVE-2012-0158, a known vulnerability for client execution. The document body contains obfuscated commands that appear to be attempting to execute a file from the temporary directory, likely a downloaded payload. The presence of shellcode candidate regions and the ClamAV detection further support the malicious nature of this file.

Heuristics 7

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: BC.Legacy.Exploit.CVE_2012_0158-20 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: BC.Legacy.Exploit.CVE_2012_0158-20
  • XOR-encoded strings (key 0x85) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x85: 'LoadLibraryA', 'GetProcAddress', 'RegOpenKeyExA'
    Disassembly
    Attempted x86 opcode disassembly
    00015170  c9                leave
00015171  eae4e1c9ece7f7    ljmp 0xf7e7:0xecc9e1e4
00015178  e4f7              in al, 0xf7
0001517A  fc                cld
0001517B  c400              les eax, ptr [eax]
0001517D  00e2              add dl, ah
0001517F  84c2              test dl, al
00015181  e0f1              loopne 0x15174
00015183  c8eae1f0          enter -0x1e16, -0x10
00015187  e9e0cde4eb        jmp 0xebe61f6c
0001518C  e1e9              loope 0x15177
0001518E  e0c4              loopne 0x15154
00015190  0000              add byte ptr [eax], al
00015192  1984c2e0f1d6f1    sbb dword ptr [edx + eax*8 - 0xe290e20], eax
00015199  e4f7              in al, 0xf7
0001519B  f1                int1
0001519C  f0                .byte 0xf0
0001519D  f5                cmc
0001519E  cc                int3
0001519F  ebe3              jmp 0x15184
000151A1  eac400cec0d7cb    ljmp 0xcbd7:0xc0ce00c4
000151A8  c0c9b6            ror cl, 0xb6
000151AB  b7ab              mov bh, 0xab
000151AD  e1e9              loope 0x15198
000151AF  e900009687        jmp 0x879751b4
000151B4  d6                salc
000151B5  e0f1              loopne 0x151a8
000151B7  c7                .byte 0xc7
000151B8  ee                out dx, al
000151B9  c6                .byte 0xc6
000151BA  eae9eaf70000bf    ljmp 0xbf00:0xf7eae9
000151C1  87d6              xchg esi, edx
000151C3  e0f1              loopne 0x151b6
000151C5  d1e0              shl eax, 1
000151C7  fd                std
000151C8  f1                int1
000151C9  c6                .byte 0xc6
000151CA  ea                .byte 0xea
000151CB  e9eaf70000        jmp 0x249ba
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    000024F4  64a130000000      mov eax, dword ptr fs:[0x30]
000024FA  8b400c            mov eax, dword ptr [eax + 0xc]
000024FD  8b4014            mov eax, dword ptr [eax + 0x14]
00002500  8b00              mov eax, dword ptr [eax]
00002502  8b00              mov eax, dword ptr [eax]
00002504  8b6810            mov ebp, dword ptr [eax + 0x10]
00002507  8bf7              mov esi, edi
00002509  6a11              push 0x11
0000250B  59                pop ecx
0000250C  e8c6050000        call 0x2ad7
00002511  e2f9              loop 0x250c
00002513  8bee              mov ebp, esi
00002515  81ec00020000      sub esp, 0x200
0000251B  8bdc              mov ebx, esp
0000251D  c7036e74646c      mov dword ptr [ebx], 0x6c64746e
00002523  c743046c2e646c    mov dword ptr [ebx + 4], 0x6c642e6c
0000252A  66c743086c00      mov word ptr [ebx + 8], 0x6c
00002530  c6430a00          mov byte ptr [ebx + 0xa], 0
00002534  53                push ebx
00002535  8b06              mov eax, dword ptr [esi]
00002537  e8e0050000        call 0x2b1c
0000253C  8be8              mov ebp, eax
0000253E  6a01              push 1
00002540  59                pop ecx
00002541  e891050000        call 0x2ad7
00002546  e2f9              loop 0x2541
00002548  8bee              mov ebp, esi
0000254A  81ec00040000      sub esp, 0x400
00002550  33c0              xor eax, eax
00002552  89                .byte 0x89
00002553  45                inc ebp
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a5.bin rtf-objdata-decoded RTF \objdata at offset 0xA5 4543 bytes
SHA-256: 40a92f7f33ad018710d1e8703f5e0311fd90bda9117cc3b8324c1c7dbc156a82
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, NOP sled

Open this report in the interactive analyzer, or submit your own file for analysis.