OfficeMalScanner/RTFScan
Jump to navigation
Jump to search
| You are here: | RTFScan
|
Description
RTFScan is a tool which has similar features as OfficeMalScanner but for RTF documents.
Usage
Syntax
Usage: RTFScan <RTF file> <scan> <debug>
Options
- scan
- scan for shellcode heuristics, dump object and data areas, as well as PE-Files
Switches
- debug
- prints out disassembly resp hexoutput if a heuristic was found
Example
Let's analyze a malicious document named 1.doc. The *.doc extension might indicate a MS Office Word document but it seems to be a RTF document, according to OfficeMalScanner:
C:\tools\OfficeMalScanner>OfficeMalScanner.exe \malware\1.doc info +------------------------------------------+ | OfficeMalScanner v0.58 | | Frank Boldewin / www.reconstructer.org | +------------------------------------------+ [*] INFO mode selected [*] Opening file \malware\1.doc [*] Filesize is 116094 (0x1c57e) Bytes RTF file format detected. Please use RTFScan.
Let's analyze the document with RTFScan:
C:\tools\OfficeMalScanner>RTFScan.exe \malware\1.doc scan debug
+------------------------------------------+
| RTFScan v0.22 |
| Frank Boldewin / www.reconstructer.org |
+------------------------------------------+
[*] SCAN mode selected
[*] Opening file \malware\1.doc
[*] Filesize is 116094 (0x1c57e) Bytes
[*] RTF format detect
Embedded OLE document found in OBJDATA
Scanning for shellcode in OBJDATA...
FS:[30] (Method 4) signature found at offset: 0x924
648B7130 mov esi, fs:[ecx+30h]
8B760C mov esi, [esi+0Ch]
8B761C mov esi, [esi+1Ch]
8B6E08 mov ebp, [esi+08h]
8B7E20 mov edi, [esi+20h]
8B36 mov esi, [esi]
817F0C33003200 cmp [edi+0Ch], 00320033h
75EF jnz $-0Fh
8BDD mov ebx, ebp
E938030000 jmp $+0000033Dh
5D pop ebp
83C508 add ebp, 00000008h
8BFD mov edi, ebp
6A0E push 0000000Eh
59 pop ecx
E8E3020000 call $+000002E8h
--------------------------------------------------------------------------
API-Hashing signature found at offset: 0xc56
7408 jz $+0Ah
C1CD07 ror ebp, 07h
03EA add ebp, edx
40 inc eax
EBF1 jmp $-0Dh
3B2F cmp ebp, [edi]
75E7 jnz $-17h
5E pop esi
8B6E24 mov ebp, [esi+24h]
03EB add ebp, ebx
668B4C4D00 mov cx, [ebp+ecx*2]
8B6E1C mov ebp, [esi+1Ch]
03EB add ebp, ebx
8B448D00 mov eax, [ebp+ecx*4]
03C3 add eax, ebx
AB stosd
--------------------------------------------------------------------------
JMP [0xEB]/CALL/POP signature found at offset: 0xa63
EB19 jmp $+1Bh
5B pop ebx
8D4DF7 lea ecx, [ebp-09h]
83C205 add edx, 00000005h
51 push ecx
8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
C60168 mov byte ptr [ecx], 68h
895901 mov [ecx+01h], ebx
C64105C3 mov byte ptr [ecx+05h], C3h
FFE2 jmp edx
E8E2FFFFFF call $-00000019h
898570010000 mov [ebp+00000170h], eax
6A00 push 00000000h
6880000000 push 00000080h
--------------------------------------------------------------------------
JMP [0xE9]/CALL/POP signature found at offset: 0x941
E938030000 jmp $+0000033Dh
5D pop ebp
83C508 add ebp, 00000008h
8BFD mov edi, ebp
6A0E push 0000000Eh
59 pop ecx
E8E3020000 call $+000002E8h
E2F9 loop $-05h
8D8521010000 lea eax, [ebp+00000121h]
50 push eax
6800010000 push 00000100h
FF5504 call [ebp+04h]
89851C010000 mov [ebp+0000011Ch], eax
C784052101000044573230 mov [ebp+eax+00000121h], 30325744h
8B4D3C mov ecx, [ebp+3Ch]
85C9 test ecx, ecx
--------------------------------------------------------------------------
Dumping embedded OLE document as filename: OLE_DOCUMENT__1__1.bin
!!! OLE_DOCUMENT has been found and dumped. This should be re-scanned wi
th officemalscanner now !!!
!!! This file contains overlay data, which is unsual for legiti
mate rtf-files !!!
Analysis finished!
----------------------------------------------
1 seems to be malicious! Malicious Index = 60
----------------------------------------------