Malicious RTF — malware analysis report

Static analysis result for SHA-256 b30fd5d4f9cddb11…

MALICIOUS

RTF

76.7 KB First seen: 2015-05-07
MD5: 6374de06a61cc5077cb2d930d5beb231 SHA-1: 905580b4aadcb22d78364063d8e5de318fbc8069 SHA-256: b30fd5d4f9cddb11197168775824198e67779d3f4b9b9c62ca18ae09e4bc6454
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains embedded OLE objects and triggers heuristics for PEB access and XOR-encoded strings, indicating a malicious exploit. ClamAV specifically identifies it as Rtf.Exploit.Cve_2014_1761-2, suggesting exploitation of CVE-2014-1761. The embedded URL points to a potential second-stage executable, 'dro.exe', which is likely downloaded and executed by the exploit.

Heuristics 5

  • ClamAV: Rtf.Exploit.Cve_2014_1761-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.Cve_2014_1761-2
  • XOR-encoded strings (key 0xF3) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xF3: 'advapi32.dll', 'advapi32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    0000872A  92                xchg edx, eax
0000872B  97                xchg edi, eax
0000872C  8592839ac0c1      test dword ptr [edx - 0x3e3f657d], edx
00008732  dd979f9f0080      fst qword ptr [edi - 0x7fff6061]
00008738  8799989a9bdb      xchg dword ptr [ecx - 0x24646568], ebx
0000873E  91                xchg ecx, eax
0000873F  99                cdq
00008740  99                cdq
00008741  009c90c9e38fcd    add byte ptr [eax + edx*4 - 0x32701c37], bl
00008748  97                xchg edi, eax
00008749  8f                .byte 0x8f
0000874A  89cb              mov ebx, ecx
0000874C  61                popal
0000874D  d0359f39a600      sal byte ptr [0xa6399f], 1
00008753  f695abfd10df      not byte ptr [ebp - 0x20ef0255]
00008759  6f                outsd dx, dword ptr [esi]
0000875A  9f                lahf
0000875B  7a97              jp 0x86f4
0000875D  6ac0              push -0x40
0000875F  1f                pop ds
00008760  75a9              jne 0x870b
00008762  649d              popfd
00008764  9d                popfd
00008765  e0df              loopne 0x8746
00008767  b652              mov dh, 0x52
00008769  aa                stosb byte ptr es:[edi], al
0000876A  d6                salc
0000876B  df                .byte 0xdf
0000876C  ce                into
0000876D  79c0              jns 0x872f
0000876F  7b1c              jnp 0x878d
00008771  74e9              je 0x875c
00008773  32f0              xor dh, al
00008775  e6ed              out 0xed, al
00008777  755f              jne 0x87d8
00008779  ef                out dx, eax
0000877A  7758              ja 0x87d4
0000877C  d14ae2            ror dword ptr [edx - 0x1e], 1
0000877F  91                xchg ecx, eax
00008780  b740              mov bh, 0x40
00008782  60                pushal
00008783  c5                .byte 0xc5
00008784  c9                leave
00008785  4d                dec ebp
00008786  16                push ss
00008787  ec                in al, dx
00008788  1a00              sbb al, byte ptr [eax]
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    0000AE6D  64a130000000      mov eax, dword ptr fs:[0x30]
0000AE73  8a4002            mov al, byte ptr [eax + 2]
0000AE76  84c0              test al, al
0000AE78  61                popal
0000AE79  0f852e010000      jne 0xafad
0000AE7F  0f8428010000      je 0xafad
0000AE85  3f                aas
0000AE86  d6                salc
0000AE87  5b                pop ebx
0000AE88  58                pop eax
0000AE89  47                inc edi
0000AE8A  59                pop ecx
0000AE8B  692d3730a6347f7064e8  imul ebp, dword ptr [0x34a63037], 0xe864707f
0000AE95  1e                push ds
0000AE96  8b6b77            mov ebp, dword ptr [ebx + 0x77]
0000AE99  67e850ea13aa      call 0xaa1498ef
0000AE9F  7d14              jge 0xaeb5
0000AEA1  97                xchg edi, eax
0000AEA2  44                inc esp
0000AEA3  30a5a31a01a7      xor byte ptr [ebp - 0x58fee55d], ah
0000AEA9  4e                dec esi
0000AEAA  f65def            neg byte ptr [ebp - 0x11]
0000AEAD  c6                .byte 0xc6
0000AEAE  7274              jb 0xaf24
0000AEB0  6ae9              push -0x17
0000AEB2  108d9c1cc20f      adc byte ptr [ebp + 0xfc21c9c], cl
0000AEB8  f254              push esp
0000AEBA  4b                dec ebx
0000AEBB  bce71b4f92        mov esp, 0x924f1be7
0000AEC0  6f                outsd dx, dword ptr [esi]
0000AEC1  95                xchg ebp, eax
0000AEC2  3b3d1deb1169      cmp edi, dword ptr [0x6911eb1d]
0000AEC8  5e                pop esi
0000AEC9  8cc8              mov eax, cs
0000AECB  b5fb              mov ch, 0xfb
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://80.242.123.211:888/dro.exe In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000080.bin rtf-objdata-decoded RTF \objdata at offset 0x80 123 bytes
SHA-256: 918283222db1827a77e00779d9efe012c7f35cc8b628b0dbde5443f8fff278b1
objdata_01_off000001ae.bin rtf-objdata-decoded RTF \objdata at offset 0x1AE 5686 bytes
SHA-256: 06c05da3926350d3491a1e4101a8d09cc16c0064dec97c33885c026beee1d205

Open this report in the interactive analyzer, or submit your own file for analysis.