Reversing Malicious RTF Document: MS10-087 Exploit CVE-2010-3333

Image 1: The maldoc titled as “ANCALOG[.]doc” reveals RFT artifacts.
G0al: Practice reverse engineering RFT exploits. In this case, we analyze the infamous exploit for MS10-087 CVE-2010-3333. This exploit was heavily used by various Chinese and Eastern-European APT groups. The sample below was submitted from Poland on June 6, 2016.

I. Malware Sample: ANCALOG[.]doc
 Original Filename       ANCALOG[.]doc
MD5 4483ad299158eb54f6ff58b5346a36ee
SHA-1 7551c2d2c1b3271cecab6fc803626bc3d505aacd
SHA-256 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2
ssdeep 48:mdTagznhm11D1Dl8NYYhpWo0FdzMwRH0dgw9h3WEQDT:mxB6VV5o0vH0dJD8T
Size 664.9 KB (680855 bytes)
Type Rich Text Format
Magic Rich Text Format data, version 1, unknown character set
TrID
Rich Text Format (100.0%)

Image 2-3: The list of all contents as it is displated by rtfdump from the RTF maldoc.
Command Sequence:
I. python2.7 rtfdump.py -y rtf.yara 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2

Image 4: The maldoc scan by the RTF Yara ruleset reveals various signs of exploitation inside the maldoc.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

II. python2.7 rtfdump.py -s 337677 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 

Image 5: The rftdump script reveals the encoded payload inside the maldoc.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

III. python2.7 rtfdump.py -s 338677 -H ../97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 

Image 6: The hexidecimal decoded values reveal six sequential NOP calls (often used to setup the stage for exploits) at “0x35” and the “cmd” script in the end.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

IV.python2.7 rtfdump.py -s 338677 -H -c “0x35:” -d ../97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 > shellcode.bin

Yara RTF Maldoc Signature:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9); min-height: 14.0px} span.s1 {font-variant-ligatures: no-common-ligatures}

rule includepicture_http
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “INCLUDEPICTURE”
        $a2 = “http” nocase
    condition:
        $a1 and $a2
}
rule ListView2_CLSID
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = {4B F0 D1 BD 8B 85 D1 11 B1 6A 00 C0 F0 28 36 28}
    condition:
        any of them
}
rule http
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “http” nocase
    condition:
        $a1
}
rule RTF_Object
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = {01 05 00 00 02 00 00 00}
    condition:
        any of them
}
rule pFragments
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “pFragments”
    condition:
        $a1
}

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s