Part 3 of preparing for GIAC GREM
Requirements
- FLAREVM
- rtfobj.py
- rtfdump.py
- Hex Editor (I use 010)
- Malware Sample
embedi/CVE-2017–11882: Proof-of-Concept exploits for CVE-2017–11882 (github.com)
Introduction
Analyzing RTF (Rich Text Format) malware is a critical task in cybersecurity. RTF files, commonly used for document exchange, can contain hidden malicious code, making them potential vectors for malware infections. The analysis process involves examining the structure, content, and behavior of the embedded code, employing static and dynamic analysis techniques, and searching for indicators of compromise (IOCs) to understand the malware’s capabilities and potential impact. Security professionals utilize specialized tools, sandboxes, and threat intelligence to stay updated and detect these evolving threats, ensuring the protection of computer systems against RTF-based cyberattacks.
Right off the bat the rtfobj analysis shows its been detected and the CVE number for further investigation.
However, lets ignore that and continue our own analysis with the help of rtfdump.py
Notice on line 7
Common control words associated with embedded objects include \object
, \objemb
, \objclass
, or \objdata
There seems to be something there. Lets dump the file to a .txt document to analyze it further.
py .\rtfdump.py <file> -s 7 -H > <output file>
This command will select the 7th line using -s and dump a hex file -H. Using the > pointer we output the file to a document. In my case I used test.txt
Open the document inside a hex editor to analyze its contents. In my case I will be using 010 Editor for viewing the hex dump.
The hex dump shows an alarming set of characters that seem to execute the command prompt, run calculator, then another set of characters that are obfuscated.
Further reading can be done here
Excel Document Delivers Multiple Malware By Exploiting CVE-2017–11882 — Part I | Fortinet Blog