Malicious RTF — malware analysis report

Static analysis result for SHA-256 cace0ce8caf29e6b…

MALICIOUS

RTF

857.0 KB Created: 2017-11-19 09:10:00 First seen: 2017-12-08
MD5: a751bc598c3d70a9c76253b9a5a39ccc SHA-1: 7c3053b7c40a91961fda931866f559a2b05eb561 SHA-256: cace0ce8caf29e6bbb54833a2386c79fca2162fa50f0e8442815127864fe79d4
442 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data that exploits CVE-2017-0199 or CVE-2017-8759, indicated by the RTF_OLE2LINK_REMOTE_MONIKER_LOADER heuristic. This exploit attempts to download a payload from the URL http://62.109.1.118/t/t.php?stats=send&thread=2. The presence of Metasploit reverse shellcode and references to Windows API functions like WinExec, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress strongly suggest the execution of a malicious second-stage payload.

Heuristics 12

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    0006D0C5  fc                cld
0006D0C6  e882000000        call 0x6d14d
0006D0CB  5f                pop edi
0006D0CC  5e                pop esi
0006D0CD  5b                pop ebx
0006D0CE  8be5              mov esp, ebp
0006D0D0  5d                pop ebp
0006D0D1  c3                ret
0006D0D2  8d4000            lea eax, [eax]
0006D0D5  53                push ebx
0006D0D6  56                push esi
0006D0D7  8bd8              mov ebx, eax
0006D0D9  3b5324            cmp edx, dword ptr [ebx + 0x24]
0006D0DC  7436              je 0x6d114
0006D0DE  8bf2              mov esi, edx
0006D0E0  85f6              test esi, esi
0006D0E2  7518              jne 0x6d0fc
0006D0E4  33c0              xor eax, eax
0006D0E6  8a4318            mov al, byte ptr [ebx + 0x18]
0006D0E9  8b04851c3e4700    mov eax, dword ptr [eax*4 + 0x473e1c]
0006D0F0  50                push eax
0006D0F1  a1f8a24700        mov eax, dword ptr [0x47a2f8]
0006D0F6  8b00              mov eax, dword ptr [eax]
0006D0F8  ffd0              call eax
0006D0FA  8bd0              mov edx, eax
0006D0FC  895324            mov dword ptr [ebx + 0x24], edx
0006D0FF  c6434401          mov byte ptr [ebx + 0x44], 1
0006D103  8b4304            mov eax, dword ptr [ebx + 4]
0006D106  e8ba060000        call 0x6d7c5
0006D10B  85f6              test esi, esi
0006D10D  7505              jne 0x6d114
0006D10F  33c0              xor eax, eax
0006D111  894324            mov dword ptr [ebx + 0x24], eax
0006D114  5e                pop esi
0006D115  5b                pop ebx
0006D116  c3                ret
0006D117  8bc0              mov eax, eax
0006D119  3b5028            cmp edx, dword ptr [eax + 0x28]
0006D11C  7413              je 0x6d131
0006D11E  895028            mov dword ptr [eax + 0x28], edx
0006D121  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://62.109.1.118/t/t.php?stats=send&thread=2 In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c568.bin rtf-objdata-decoded RTF \objdata at offset 0xC568 2598 bytes
SHA-256: 3da8e28b560fc63b56ca3cdb61d46bcb77c92ad09247ae8fd438864642586c28
objdata_01_off0000dc96.bin rtf-objdata-decoded RTF \objdata at offset 0xDC96 2674 bytes
SHA-256: 38614558adf430677ead3e5c8f5aaf3260c7c7c9fdcbf310480234317b8799bf

Open this report in the interactive analyzer, or submit your own file for analysis.