Analysis of Malicious RTF file: CVE-2017-0199
CVE-2017-0199 is found in the latest malware campaign. For this vulnerability, patch was already available in Microsoft security updates. This vulnerability is about the execution of arbitrary code via a crafted document by remote attackers.
We got the rtf file for analysis:
Using officemalscanner tools (rtfscan)-
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin: Rich Text Format data, version 1, unknown character set
|Embedded OLE document extracted|
We extracted the embedded ole document from this sample. And the following image have string details:
|Strings of OLE object|
We tried with rtfdump to the same sample and we get as follows:
We further drilled down that embedded object and we found interesting information in that.
|Malicious file URL|
It downloading file called myguy.xls from a suspicious IP address.
We searched it in VT:
|VirusTotal result for that malicious link|
Downloaded files result in VT: https://www.virustotal.com/en/file/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6/analysis/
Patch already released by Microsoft on April 2017. It is advised to block this malicious url in firewall/proxy.
Post made by