First Stage: The initial phase involves a malicious document programmed to download an RTF file from the following URL: “hxxps://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file[.]rtf”.
Second Stage: The downloaded file, file.rtf, contains CVE-2017-0199, a vulnerability in Microsoft Word that enables attackers to execute a malicious Visual Basic script. This flaw grants them the ability to execute embedded JavaScript within RTF stream 0.
extracting stream 0 from rtf
Extracted JavaScript in its obfuscated state.
After the code has been cleaned, it appears something like this.
This function primarily checks for an available .NET compiler and then generates a path to ‘csc.exe’ for on-the-fly compilation of C# code to evade detection. However, it was not utilized in this sample, leading us to hypothesize that the code may be reused or could be employed in an upcoming campaign.
In this sample, the code begins by checking for the installed antivirus software using “wingmts.” Simultaneously, it decodes base64 content, extracting a DLL (confirmed after analyzing the PE file) from it. Subsequently, the extracted DLL is loaded into the process. The code then appends the antivirus name to a URL before invoking “Program.work” from the loaded DLL library, passing the combined URL and antivirus name as parameters to the function.
Decrypting Base64
Ectracting dll from base64 . Upon opening the file in PE Studio to familiarize myself with its content, certain indicators immediately suggest that it is a DLL and likely a .NET binary.
The next step is to check its exported functions.
Opening dll in Dnspy
After opening the DLL and performing cleanup, we can observe that the initial section gathers information about installed antivirus programs. Specifically, it checks for Avast, Avira, and AVG. If any of these antivirus programs are detected, the DLL proceeds to execute a file. This file contains a Base64 payload that is passed to it by the parent process. The payload is then formatted and written to a file, utilizing “mshta.exe” as a means of evading detection.
On the other hand, if a different antivirus program is found during the check, the file content is simply used to start a process. However, in this particular case, this part of the program remains unused.
This particular segment of the code is actively utilized in this case. It involves the receipt of a URL parameter passed by the parent process. Subsequently, the DLL leverages this URL to fetch a payload, which is then stored in an array. The payload is formatted accordingly and subsequently executed as a separate process.
In the event that the process creation encounters any issues or fails for some reason, the DLL is designed to handle the exception (reason for the crash). It captures the relevant exception data and sends it back to the original URL in a specific format, making it recognizable and processable on the server side. Additionally, the DLL takes the necessary step to terminate the problematic process.
Overall, this functionality allows the code to dynamically retrieve and execute payloads from the provided URL while effectively handling errors and reporting them back to the server for further analysis.
Indeed, it seems that the third stage of the code was promptly removed upon being reported, leading to no success in retrieving it. As a result, access to the content and functionalities of the third stage remains elusive. The removal of the third stage can be seen as a defensive measure taken by the developers to prevent further analysis or detection of their code’s full capabilities.
In such cases, it becomes challenging to gain a comprehensive understanding of the entire code’s behavior and intended purpose.
IOC :
eeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7