MALICIOUS
442
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains OLE object data that triggers remote code execution via CVE-2017-0199 or CVE-2017-8759. It attempts to download a payload from the URL http://kinesk.com/t/t.php?stats=send&thread=1. Metasploit shellcode and calls to VirtualAlloc, LoadLibrary, and GetProcAddress indicate the execution of malicious code, likely a downloader.
Heuristics 11
-
CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical RTF_OLE2LINK_REMOTE_MONIKER_LOADERRTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
-
ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
-
Metasploit reverse_tcp shellcode critical SC_MSF_REVERSEMetasploit reverse_tcp shellcode
Disassembly
Attempted x86 opcode disassembly000787F7 fc cld 000787F8 e882000000 call 0x7887f 000787FD 5f pop edi 000787FE 5e pop esi 000787FF 5b pop ebx 00078800 8be5 mov esp, ebp 00078802 5d pop ebp 00078803 c3 ret 00078804 8d4000 lea eax, [eax] 00078807 53 push ebx 00078808 56 push esi 00078809 8bd8 mov ebx, eax 0007880B 3b5324 cmp edx, dword ptr [ebx + 0x24] 0007880E 7436 je 0x78846 00078810 8bf2 mov esi, edx 00078812 85f6 test esi, esi 00078814 7518 jne 0x7882e 00078816 33c0 xor eax, eax 00078818 8a4318 mov al, byte ptr [ebx + 0x18] 0007881B 8b04854c0f4800 mov eax, dword ptr [eax*4 + 0x480f4c] 00078822 50 push eax 00078823 a1b4994800 mov eax, dword ptr [0x4899b4] 00078828 8b00 mov eax, dword ptr [eax] 0007882A ffd0 call eax 0007882C 8bd0 mov edx, eax 0007882E 895324 mov dword ptr [ebx + 0x24], edx 00078831 c6434401 mov byte ptr [ebx + 0x44], 1 00078835 8b4304 mov eax, dword ptr [ebx + 4] 00078838 e8ba060000 call 0x78ef7 0007883D 85f6 test esi, esi 0007883F 7505 jne 0x78846 00078841 33c0 xor eax, eax 00078843 894324 mov dword ptr [ebx + 0x24], eax 00078846 5e pop esi 00078847 5b pop ebx 00078848 c3 ret 00078849 8bc0 mov eax, eax 0007884B 3b5028 cmp edx, dword ptr [eax + 0x28] 0007884E 7413 je 0x78863 00078850 895028 mov dword ptr [eax + 0x28], edx 00078853 c6402c00 mov byte ptr [eax + 0x2c], 0
-
Metasploit bind_tcp shellcode critical SC_MSF_BINDMetasploit bind_tcp shellcode
Disassembly
Attempted x86 opcode disassembly0004ACA8 fc cld 0004ACA9 e889000000 call 0x4ad37 0004ACAE 8b45fc mov eax, dword ptr [ebp - 4] 0004ACB1 e82d2b0000 call 0x4d7e3 0004ACB6 5b pop ebx 0004ACB7 59 pop ecx 0004ACB8 5d pop ebp 0004ACB9 c3 ret 0004ACBA 90 nop 0004ACBB 53 push ebx 0004ACBC 8bd8 mov ebx, eax 0004ACBE 8b8340020000 mov eax, dword ptr [ebx + 0x240] 0004ACC4 85c0 test eax, eax 0004ACC6 7514 jne 0x4acdc 0004ACC8 b201 mov dl, 1 0004ACCA a1086e4100 mov eax, dword ptr [0x416e08] 0004ACCF e8976cfcff call 0x1196b 0004ACD4 898340020000 mov dword ptr [ebx + 0x240], eax 0004ACDA eb09 jmp 0x4ace5 0004ACDC 6a00 push 0 0004ACDE 6a00 push 0 0004ACE0 e8daecfdff call 0x299bf 0004ACE5 80bb4402000000 cmp byte ptr [ebx + 0x244], 0 0004ACEC 7411 je 0x4acff 0004ACEE 8b832c020000 mov eax, dword ptr [ebx + 0x22c] 0004ACF4 e8beeeffff call 0x49bb7 0004ACF9 8983a0020000 mov dword ptr [ebx + 0x2a0], eax 0004ACFF 8bd3 mov edx, ebx 0004AD01 8b8340020000 mov eax, dword ptr [ebx + 0x240] 0004AD07 e8 .byte 0xe8
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTERTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://kinesk.com/t/t.php?stats=send&thread=1 In RTF body
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000c568.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC568 | 2598 bytes |
SHA-256: a146c6985c10cbb56b61e41b392364f6f1e5bee352ccf463b85b1634b13ec499 |
|||
objdata_01_off0000dc96.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDC96 | 2674 bytes |
SHA-256: e293e79ea09eae7ddd4701951c07de9d4affcb93fe1bb6b246b18458b3d3f766 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.