This is my first malware analysis writeup on payment.doc, A RTF document which has a trojan.downloader embedded in it.
File Info
File Info | Payment.doc |
---|---|
MD5 | 064e82d1a926409f264a8152e315a86e |
SHA1 | a725f29ee627eed17ef56dca8442704e70d5adf5 |
SHA256 | 81083c18e310a1af8ae08c3e5c9eb0e1beea3cb04b2225e5f559ee4ff37e545c |
File Type | Rich Text Format |
File Size | 1.15MB |
VirusTotal | Link |
Summary of analysis
The RTF was actually based on CVE2012-0158 a buffer overflow vulnerability in ListView/TreeView ActiveX. It is targeted at MS Office versions 2003, 2007 and 2010.
In this malware analysis, i will not be covering the buffer overflow vulnerability but extracting the embedded OLE which contains the portion of the dropper(exe).
Identification
The document was in a .doc format, but using the file command we are able to find out that the file format data is actually Rich Text Format (RTF).
Characteristics
We dump out the RTF to check that there are large numbers of groups which suggest there is obfuscation.
Focus on embedded object
We are looking for the group which has the highest level of hex characters inside. If you notice, group 165 starts with *\objdata. This word is used to embed an object in the RTF file, rather than embedding the object in group 165, the adversary added one nesting level within it. The c= tag specify how many subgroups are there. The h= tag specify how many hex characters are there.
Group 165 has 1 child nested within it, whereas group 166 has 4661 subgroups which makes it suspicious!
We can try to look into the content of the group 166 using
RTFdump.py with the command rtfdump.py payment.doc -s 166 | more
Looking at content inside we notice that the meaningful hex characters are “{0 and ..1” we will not dump the hex content out to verify our analysis.
Dumping the hex content
We dump out the content using the command. the -H specify that we are dumping out the HEX content
rtfdump.py payment.doc -s 166 -H > payment.hex
We open the hex content we are able to find out that there is indeed a suspicious URL that downloads nestom22.exe.
We now have to dump out the portion of 0xBA0 to 0xCE0 into a bin file. How did we know that we need to extract 0xBA0 to 0xCE0. If you notice that the start of the hex characters at 0xBA0 is 90 90 90 90. It means that it is a NOP infront before the shell code starts.
We now have to convert the portion of the extracted bin content into a exe using shellcode2exe.py.
Dependencies
We managed to get the following static properties of the exe after we have converted the bin into an exe.
File Info | Payment.exe |
---|---|
MD5 | D7EBBE76012C62DE6370647BF7A9DFA0 |
SHA1 | F4887FA858B4DDFFD84C6EE1445AAEFDF38EE4E3 |
SHA256 | F9120A485EDA066334F29C1453F7A019BE532C2D51B711DF505F877BD613AA30 |
File Type | Executable |
File Size | 6.5KB |
VirusTotal | Link |
Shellcode
We use pestudio to check that the payment.exe is indeed an executable. The first-bytes starts with MZP which we found out that it is an executable and P stands for Pascal. It is a delphi executable
Using the strings command we are able to see the URL. However strings command is not able to show clearly how does it execute. So we are going to try to run the shellcode.
We are able to execute the shellcode to see what is exactly running. We can see that the document embedded actually execute URLDownloadToFileA(hxxp://rtnlogistics.com/nestom22.exe) that stores in word.scr
The shellcode then execute WinExec(word.scr), the winexec functions enables you to execute another program while running Reference
Behavioral and code analysis findings
Running it in a debugger we are able to see that the shellcode at 0040103E has started to load MZP which is the executable starting byte.
Doing single stepping we found out at 004010CB the URLDownloadToFileA is called.
Secondary exe - nestom22.exe
We are unable to find the nestom22.exe anymore. However we are able to conclude that the RTF is a downloader that executes another executable inside.
Incident recommendation
We have identify the IOC based on the initial analysis however without the second exe we are unable to verify the exe content. However we do know that the RTF is a trojan dropper.
IOC | |
---|---|
URL | hxxp://rtnlogistics.com/nestom22.exe |
Payment.doc SHA256 | 81083c18e310a1af8ae08c3e5c9eb0e1beea3cb04b2225e5f559ee4ff37e545c |
Payment.exe SHA256 | F9120A485EDA066334F29C1453F7A019BE532C2D51B711DF505F877BD613AA30 |