Image 1: The maldoc titled as “ANCALOG[.]doc” reveals RFT artifacts.
G0al: Practice reverse engineering RFT exploits. In this case, we analyze the infamous exploit for MS10-087 CVE-2010-3333. This exploit was heavily used by various Chinese and Eastern-European APT groups. The sample below was submitted from Poland on June 6, 2016.
Credit: Didier Stevens (https://blog.didierstevens.com/2016/08/02/rtfdump-update-and-videos/)
I. Malware Sample: ANCALOG[.]doc
Original Filename ANCALOG[.]doc
| MD5 | 4483ad299158eb54f6ff58b5346a36ee |
| SHA-1 | 7551c2d2c1b3271cecab6fc803626bc3d505aacd |
| SHA-256 | 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 |
| ssdeep | 48:mdTagznhm11D1Dl8NYYhpWo0FdzMwRH0dgw9h3WEQDT:mxB6VV5o0vH0dJD8T |
| Size | 664.9 KB (680855 bytes) |
| Type | Rich Text Format |
| Magic | Rich Text Format data, version 1, unknown character set |
| TrID |
Rich Text Format (100.0%)
|
Image 2-3: The list of all contents as it is displated by rtfdump from the RTF maldoc.
Command Sequence:
I. python2.7 rtfdump.py -y rtf.yara 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2
Image 4: The maldoc scan by the RTF Yara ruleset reveals various signs of exploitation inside the maldoc.
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}
II. python2.7 rtfdump.py -s 337677 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2
Image 5: The rftdump script reveals the encoded payload inside the maldoc.
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}
III. python2.7 rtfdump.py -s 338677 -H ../97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2
Image 6: The hexidecimal decoded values reveal six sequential NOP calls (often used to setup the stage for exploits) at “0x35” and the “cmd” script in the end.
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}
IV.python2.7 rtfdump.py -s 338677 -H -c “0x35:” -d ../97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 > shellcode.bin
Yara RTF Maldoc Signature:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9); min-height: 14.0px} span.s1 {font-variant-ligatures: no-common-ligatures}
rule includepicture_http
{
meta:
author = “Didier Stevens (https://DidierStevens.com)”
strings:
$a1 = “INCLUDEPICTURE”
$a2 = “http” nocase
condition:
$a1 and $a2
}
rule ListView2_CLSID
{
meta:
author = “Didier Stevens (https://DidierStevens.com)”
strings:
$a1 = {4B F0 D1 BD 8B 85 D1 11 B1 6A 00 C0 F0 28 36 28}
condition:
any of them
}
rule http
{
meta:
author = “Didier Stevens (https://DidierStevens.com)”
strings:
$a1 = “http” nocase
condition:
$a1
}
rule RTF_Object
{
meta:
author = “Didier Stevens (https://DidierStevens.com)”
strings:
$a1 = {01 05 00 00 02 00 00 00}
condition:
any of them
}
rule pFragments
{
meta:
author = “Didier Stevens (https://DidierStevens.com)”
strings:
$a1 = “pFragments”
condition:
$a1
}
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}
Reverse Engineering, Malware Deep Insight 