Malicious RTF — malware analysis report

Static analysis result for SHA-256 c82090292f5d791e…

MALICIOUS

RTF

879.9 KB Created: 2017-11-20 19:23:00 First seen: 2017-12-08
MD5: 4750d765fa0c27ab357de78d4722cf01 SHA-1: c5979519e60eb153436c6928cc311459d9f18716 SHA-256: c82090292f5d791e39423be1d775792bc547997206e9ef0c7ab8225c51a21ec1
442 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data that triggers remote code execution via CVE-2017-0199 or CVE-2017-8759. It attempts to download a payload from the URL http://kinesk.com/t/t.php?stats=send&thread=1. Metasploit shellcode and calls to VirtualAlloc, LoadLibrary, and GetProcAddress indicate the execution of malicious code, likely a downloader.

Heuristics 11

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    000787F7  fc                cld
    000787F8  e882000000        call 0x7887f
    000787FD  5f                pop edi
    000787FE  5e                pop esi
    000787FF  5b                pop ebx
    00078800  8be5              mov esp, ebp
    00078802  5d                pop ebp
    00078803  c3                ret
    00078804  8d4000            lea eax, [eax]
    00078807  53                push ebx
    00078808  56                push esi
    00078809  8bd8              mov ebx, eax
    0007880B  3b5324            cmp edx, dword ptr [ebx + 0x24]
    0007880E  7436              je 0x78846
    00078810  8bf2              mov esi, edx
    00078812  85f6              test esi, esi
    00078814  7518              jne 0x7882e
    00078816  33c0              xor eax, eax
    00078818  8a4318            mov al, byte ptr [ebx + 0x18]
    0007881B  8b04854c0f4800    mov eax, dword ptr [eax*4 + 0x480f4c]
    00078822  50                push eax
    00078823  a1b4994800        mov eax, dword ptr [0x4899b4]
    00078828  8b00              mov eax, dword ptr [eax]
    0007882A  ffd0              call eax
    0007882C  8bd0              mov edx, eax
    0007882E  895324            mov dword ptr [ebx + 0x24], edx
    00078831  c6434401          mov byte ptr [ebx + 0x44], 1
    00078835  8b4304            mov eax, dword ptr [ebx + 4]
    00078838  e8ba060000        call 0x78ef7
    0007883D  85f6              test esi, esi
    0007883F  7505              jne 0x78846
    00078841  33c0              xor eax, eax
    00078843  894324            mov dword ptr [ebx + 0x24], eax
    00078846  5e                pop esi
    00078847  5b                pop ebx
    00078848  c3                ret
    00078849  8bc0              mov eax, eax
    0007884B  3b5028            cmp edx, dword ptr [eax + 0x28]
    0007884E  7413              je 0x78863
    00078850  895028            mov dword ptr [eax + 0x28], edx
    00078853  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Metasploit bind_tcp shellcode critical SC_MSF_BIND
    Metasploit bind_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    0004ACA8  fc                cld
    0004ACA9  e889000000        call 0x4ad37
    0004ACAE  8b45fc            mov eax, dword ptr [ebp - 4]
    0004ACB1  e82d2b0000        call 0x4d7e3
    0004ACB6  5b                pop ebx
    0004ACB7  59                pop ecx
    0004ACB8  5d                pop ebp
    0004ACB9  c3                ret
    0004ACBA  90                nop
    0004ACBB  53                push ebx
    0004ACBC  8bd8              mov ebx, eax
    0004ACBE  8b8340020000      mov eax, dword ptr [ebx + 0x240]
    0004ACC4  85c0              test eax, eax
    0004ACC6  7514              jne 0x4acdc
    0004ACC8  b201              mov dl, 1
    0004ACCA  a1086e4100        mov eax, dword ptr [0x416e08]
    0004ACCF  e8976cfcff        call 0x1196b
    0004ACD4  898340020000      mov dword ptr [ebx + 0x240], eax
    0004ACDA  eb09              jmp 0x4ace5
    0004ACDC  6a00              push 0
    0004ACDE  6a00              push 0
    0004ACE0  e8daecfdff        call 0x299bf
    0004ACE5  80bb4402000000    cmp byte ptr [ebx + 0x244], 0
    0004ACEC  7411              je 0x4acff
    0004ACEE  8b832c020000      mov eax, dword ptr [ebx + 0x22c]
    0004ACF4  e8beeeffff        call 0x49bb7
    0004ACF9  8983a0020000      mov dword ptr [ebx + 0x2a0], eax
    0004ACFF  8bd3              mov edx, ebx
    0004AD01  8b8340020000      mov eax, dword ptr [ebx + 0x240]
    0004AD07  e8                .byte 0xe8
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kinesk.com/t/t.php?stats=send&thread=1 In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c568.bin rtf-objdata-decoded RTF \objdata at offset 0xC568 2598 bytes
SHA-256: a146c6985c10cbb56b61e41b392364f6f1e5bee352ccf463b85b1634b13ec499
objdata_01_off0000dc96.bin rtf-objdata-decoded RTF \objdata at offset 0xDC96 2674 bytes
SHA-256: e293e79ea09eae7ddd4701951c07de9d4affcb93fe1bb6b246b18458b3d3f766