Two for the price of one – malicious tricks can work together

We recently discovered “PO.doc” a malicious office document that had no traces of macros, shellcode or any DDE functionality – but was still able to download and execute malware. This type of file is typically part of a phishing email campaign.

From a nontechnical perspective, this is dangerous as the malicious content could be delivered and run without any user interaction. In addition, as many people have a Windows operating system with Microsoft Office, this exploit targets a vast majority of computer users.

From the technical perspective, this is a construction challenge: How has this document been built to deliver such secretive results? What we found was a two-stage payload delivery which also harnessed two different vulnerabilities. Both these exploits combined together can be used to deliver the malicious content and run it without any user interaction. In addition, the malware authors made it easy for researchers to classify the exploits incorrectly, further concealing their efforts.

Diving into our analysis

(Sha256: c63499f961efd7c00e55bb903d0f7773f2fb15fe2b8d31d3d9341b33950d70ab)
(Avira Detection Name: EXP/W2000M.CVE-2017-8759.A)

We started with several open-source tools to unpack and were used to try to detect the nature of the malicious “PO.doc”. ViperMonkey, an open source VBA emulator, was used to analyse the file but no VBA macros were found.

Then we used OfficeMalScanner, an open-source tool that is used to scan Office documents for embedded OLE objects and embedded shellcode and which has a scoring system to calculate the maliciousness of the scanned sample. Still, the file looked clean.

We iteratively went through the file’s decompressed XML contents in search of malicious traces. Here we found a malicious URL embedded in the document’s XML file. This is a Microsoft functionality that allows embedding and linking to documents and other documents.

This also has a somewhat low detection rate on VirusTotal.

Here comes the second malicious payload in another document:

The exploit CVE-2017-8759 requires no user interaction for the delivery and running of the second-stage payload.

Subsequently, they used this exploit to deliver a weaponized document containing the second payload. It is an RTF file, also disguised with a “.doc” extension.
You can find a POC of this exploit here.

(sha256: 6e44d9eed2f9f5e6139f4b6b39045294a9e5ac61ea00c2133b07c800221cd7c6)
(Avira Detection Name: EXP/RTFX.CVE-2017-11882.A)

This RTF contains the second exploit CVE-2017-11882 which uses a vulnerability in the old equation editor EQNEDT32.EXE. This vulnerability has been present for more than ten years, as even though Microsoft replaced this equation editor back in 2007, the vulnerability remained unpatched till late 2017. “EQNEDT32.EXE” was still present in all office versions till Office 2016 for backward compatibility issues. As we can see the exploit is embedded in the OLE object highlighted in the below screenshot.

In the background we see that the exploit RTF file has been executed and the process “EQNEDT32.EXE” is spawned without any user interaction so far – other than opening a Microsoft Office document.

Wrapping it all up:

Finding an Office document containing two exploits is not a common thing. In addition, almost everyone has a Windows operating system with Microsoft Office – there are a wide range of endpoints vulnerable to this exploit. We believe this combination indicates that the malware authors are keen on infecting as much devices as they can and not launching a targeted attack.

Here are the specific vulnerabilities:

CVE-2017-8759 is a remote code execution vulnerability that occurs when Microsoft’s .NET framework processes untrusted input. To be specific, this is a SOAP WSDL parser code injection vulnerability. This allows the exploiter to execute arbitrary code while the .NET framework is parsing the SOAP WSDL definition contents.

CVE-2017-11882 is also a remote code execution vulnerability but this time it is with Microsoft’s Office software. This happens when Microsoft Office fails to handle objects properly in memory. The exploiter could then run arbitrary code on the system within the permissions of the current user.

Both these exploits combined together can be used to deliver the malicious content and run it without any user interaction. The 1st exploit will also be mistakenly classified as CVE-2017-0199 exploit at first glance which is also a remote code execution vulnerability but actually leverages a vulnerability in the HTA handler.

Making use of CVE-2017-8759 is very interesting as it is well known that all Windows operating systems come with the .NET framework installed out of the box. The attack surface and impact is widened because the .NET framework is not upgraded on a regular basis due to compatibility issues. A lot of software available today still needs vulnerable versions of this framework to be installed for their applications to run.

This post is also available in: German