Summary
CVE-2017-0199 is found in the latest malware campaign. For
this vulnerability, patch was already available in Microsoft security updates. This
vulnerability is about the execution of arbitrary code via a crafted document
by remote attackers.
Sample analysis
We got the rtf file for analysis:
Using officemalscanner tools (rtfscan)-
[*] SCAN mode selected
[*] Opening file
C:\Documents and Settings\Desktop\fe2e5d0543b4c8769e401e
c216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin\fe2e5d0543b4c8769e401e
c216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin
[*] Filesize is 6215
(0x1847) Bytes
RTF file format detected.
Please use RTFScan.
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin:
Rich Text Format data, version 1, unknown character set
MD5: 51c028cd5f3afe9bf179d81def8d7a8e
 |
| Embedded OLE document extracted |
We extracted the embedded ole document from this sample. And
the following image have string details:
 |
| Strings of OLE object |
We tried with rtfdump to the same sample and we get as
follows:
 |
| Objdata |
We further drilled down that embedded object and we found
interesting information in that.
 |
| Malicious file URL |
It downloading file called myguy.xls from a suspicious IP
address.
hxxp://84.200.16(.)242/myguy.xls
We searched it in VT:
 |
| VirusTotal result for that malicious link |
Downloaded files result in VT: https://www.virustotal.com/en/file/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6/analysis/
Conclusion
Patch already released by Microsoft on April 2017. It is
advised to block this malicious url in firewall/proxy.
Post made by
No comments:
Post a Comment