Analysis of an Obfuscated RTF File

15 May 2022

RTF SHA256: ac64adbfa128fd5f31bd922957942a1b80c56ee119791a29b939be04e1d7e2ba

Filename: PO#JEL180409TH IR & JEL180409TH IRB.doc

VirusTotal Score: 30/59 as of 12 May 2022

What’s An RTF?

First released some 35 years ago, the Rich Text Format (RTF) file provides cross-platform support ensuring the document can be read and opened by a number of different word processing applications. As with any legitimate product, adversaries will find a way to use an application for evil.

This post will provide a quick analysis of an RTF file I recently stumbled upon in an online sandbox.

I won’t waste your time discussing how RTF files are leveraged for the delivery of malware. At the end of this post, I will provide a few links if you are interested.

Analysis

Although the document being analyzed today ends with a .doc extension, opening the file in a Hex Editor reveals the magic byte values of an RTF file ({\rtf).

This wouldn’t be a proper analysis of a Word document without using Didier Stevens’ rtfdump script. Running the script with “-f” for the file, and “O” for any embedded OLE files will be revealed.

Observing the output of the above command, we can see four streams have been identified, 21, 26, 231, and 236.

For those with a keen eye, you may also see references to a file named Client.vbs in the above output. We will come back to this later in the post.

Digging deeper into the streams is trivial, and can be accomplished with the following command:

rtfdump.py -s 236 -H unknown_220509.rtf (the “H” displays the output in hex format)

In the above output, we can see “Equation.3”, reinforcing our belief that this document is likely exploiting CVE-2018-0798.

Running The File

Upon opening the file, Client.vbs is dropped into the TEMP folder, and is run using the below command:

CmD.exe /C cscript %tmp%\Client.vbs

CScript is used to run the VBScript file which also runs an embedded PowerShell script. Before diving into the obfuscated script, let’s take a further look at Client.vbs.

In an attempt to throw off researchers, Client.vbs attempts to mimic slmgr.vbs, Windows’ Software Licensing Management Tool. The above image provides a side-by-side comparison of the two files.

If the mismatch in the first couple of lines doesn’t throw you off, Client.vbs is well over 2k+ lines of code, mostly from slmgr.vbs, and some junk code likely from other Windows VBScript code.

Scrolling towards the bottom of Client.vbs, the true nature of the file starts to become apparent. The malicious script makes heavy use of obfuscating variable names, as well as string reversal to evade detection. The below image provides another side-by-side comparison.

The above image shows reversed PowerShell code that will be run in tandem with the VBScript file.

Putting the piece of code back in its intended format, we can get an idea of the code’s purpose.

We can see the lengthy variable starting with “$70J…” is assigned to a byte array. At the bottom of the code, we can see [System.Text.Encoding]::Ascii.GetString is called along with IEX.

Converting the ASCII code reveals what all the obfuscation was hiding.

The partially deobfuscated script has a few more minor techniques to evade detection, but we can get a good idea of what’s going on without going back to CyberChef.

The script first pings google.com to ensure a network connection is present, and if so, makes a connection to:

https://krakenfiles.com/assets/img/zoom%5B.%5Dpng

Unfortunately at the time of writing, the supposed PNG file was not able to be retrieved.

This particular file had a few other tricks up its sleeve, in particular with persistence via Registry Keys, but that is for another time and another post.

Conclusion

I hope you enjoyed this quick analysis of a suspicious RTF file. As promised, below are some great articles for anyone who wants a better understanding of the RTF document and how it has been abused.

Links

https://www.domaintools.com/resources/blog/an-undersea-royal-road-exploring-malicious-documents-and-associated-malware#

https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html

https://neil-fox.github.io/RTF-Analysis-&-Lokibot/

%d bloggers like this: