Analysis of Malicious RTF file: CVE-2017-0199

Summary
CVE-2017-0199 is found in the latest malware campaign. For this vulnerability, patch was already available in Microsoft security updates. This vulnerability is about the execution of arbitrary code via a crafted document by remote attackers.

Sample analysis
We got the rtf file for analysis:

Using officemalscanner tools (rtfscan)- 


[*] SCAN mode selected
[*] Opening file C:\Documents and Settings\Desktop\fe2e5d0543b4c8769e401e
c216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin\fe2e5d0543b4c8769e401e
c216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin
[*] Filesize is 6215 (0x1847) Bytes
RTF file format detected. Please use RTFScan.

fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin: Rich Text Format data, version 1, unknown character set
MD5: 51c028cd5f3afe9bf179d81def8d7a8e

Embedded OLE document extracted
We extracted the embedded ole document from this sample. And the following image have string details:


Strings of OLE object
We tried with rtfdump to the same sample and we get as follows:
Objdata
We further drilled down that embedded object and we found interesting information in that.
Malicious file URL
It downloading file called myguy.xls from a suspicious IP address.
hxxp://84.200.16(.)242/myguy.xls
We searched it in VT:

VirusTotal result for that malicious link


Conclusion
Patch already released by Microsoft on April 2017. It is advised to block this malicious url in firewall/proxy. 


Post made by

Comments

Popular Posts