Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Analysis Of An "ms-msdt" RTF Maldoc - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analysis Of An "ms-msdt" RTF Maldoc

Malicious document "aaa.rtf" is an RTF file that downloads a html file that uses the ms-msdt handler to get a PowerShell script executed. This is explained in our diary entry "New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme (CVE-2022-30190)".

To analyze RTF files, I use my tool rtfdump.py.

In the list of RTF entities, there's an object with an objclass + URL and objdata embedded object:

Here is the URL of the objclass:

And here are the objects:

The first object is an OLE file that can be piped into oledump.py for analysis:

The \1Ole and \3LinkInfo streams contain URLs:

The structure of these streams is documented by Microsoft. But parsing is not necessary for this sample, we can also just extract the strings:

Looking on VirusTotal for the relations of this maldoc, I found PowerShell scripts and a Cobalt Strike beacon:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

DidierStevens

650 Posts
ISC Handler
Jun 5th 2022

Sign Up for Free or Log In to start participating in the conversation!