OfficeMalScanner/RTFScan

From aldeid
Jump to: navigation, search
You are here:
RTFScan

Description

RTFScan is a tool which has similar features as OfficeMalScanner but for RTF documents.

Usage

Syntax

Usage: RTFScan <RTF file> <scan> <debug>

Options

scan
scan for shellcode heuristics, dump object and data areas, as well as PE-Files

Switches

debug
prints out disassembly resp hexoutput if a heuristic was found

Example

Let's analyze a malicious document named 1.doc. The *.doc extension might indicate a MS Office Word document but it seems to be a RTF document, according to OfficeMalScanner:

C:\tools\OfficeMalScanner>OfficeMalScanner.exe \malware\1.doc info
 
+------------------------------------------+
|           OfficeMalScanner v0.58         |
|  Frank Boldewin / www.reconstructer.org  |
+------------------------------------------+

[*] INFO mode selected
[*] Opening file \malware\1.doc
[*] Filesize is 116094 (0x1c57e) Bytes

RTF file format detected. Please use RTFScan.

Let's analyze the document with RTFScan:

C:\tools\OfficeMalScanner>RTFScan.exe \malware\1.doc scan debug

+------------------------------------------+
|              RTFScan v0.22               |
|  Frank Boldewin / www.reconstructer.org  |
+------------------------------------------+

[*] SCAN mode selected
[*] Opening file \malware\1.doc
[*] Filesize is 116094 (0x1c57e) Bytes
[*] RTF format detect

Embedded OLE document found in OBJDATA

Scanning for shellcode in OBJDATA...
FS:[30] (Method 4) signature found at offset: 0x924

648B7130                           mov esi, fs:[ecx+30h]
8B760C                             mov esi, [esi+0Ch]
8B761C                             mov esi, [esi+1Ch]
8B6E08                             mov ebp, [esi+08h]
8B7E20                             mov edi, [esi+20h]
8B36                               mov esi, [esi]
817F0C33003200                     cmp [edi+0Ch], 00320033h
75EF                               jnz $-0Fh
8BDD                               mov ebx, ebp
E938030000                         jmp $+0000033Dh
5D                                 pop ebp
83C508                             add ebp, 00000008h
8BFD                               mov edi, ebp
6A0E                               push 0000000Eh
59                                 pop ecx
E8E3020000                         call $+000002E8h
--------------------------------------------------------------------------

API-Hashing signature found at offset: 0xc56

7408                               jz $+0Ah
C1CD07                             ror ebp, 07h
03EA                               add ebp, edx
40                                 inc eax
EBF1                               jmp $-0Dh
3B2F                               cmp ebp, [edi]
75E7                               jnz $-17h
5E                                 pop esi
8B6E24                             mov ebp, [esi+24h]
03EB                               add ebp, ebx
668B4C4D00                         mov cx, [ebp+ecx*2]
8B6E1C                             mov ebp, [esi+1Ch]
03EB                               add ebp, ebx
8B448D00                           mov eax, [ebp+ecx*4]
03C3                               add eax, ebx
AB                                 stosd
--------------------------------------------------------------------------

JMP [0xEB]/CALL/POP signature found at offset: 0xa63

EB19                               jmp $+1Bh
5B                                 pop ebx
8D4DF7                             lea ecx, [ebp-09h]
83C205                             add edx, 00000005h
51                                 push ecx
8BFF                               mov edi, edi
55                                 push ebp
8BEC                               mov ebp, esp
C60168                             mov byte ptr [ecx], 68h
895901                             mov [ecx+01h], ebx
C64105C3                           mov byte ptr [ecx+05h], C3h
FFE2                               jmp edx
E8E2FFFFFF                         call $-00000019h
898570010000                       mov [ebp+00000170h], eax
6A00                               push 00000000h
6880000000                         push 00000080h
--------------------------------------------------------------------------

JMP [0xE9]/CALL/POP signature found at offset: 0x941

E938030000                         jmp $+0000033Dh
5D                                 pop ebp
83C508                             add ebp, 00000008h
8BFD                               mov edi, ebp
6A0E                               push 0000000Eh
59                                 pop ecx
E8E3020000                         call $+000002E8h
E2F9                               loop $-05h
8D8521010000                       lea eax, [ebp+00000121h]
50                                 push eax
6800010000                         push 00000100h
FF5504                             call [ebp+04h]
89851C010000                       mov [ebp+0000011Ch], eax
C784052101000044573230             mov [ebp+eax+00000121h], 30325744h
8B4D3C                             mov ecx, [ebp+3Ch]
85C9                               test ecx, ecx
--------------------------------------------------------------------------


Dumping embedded OLE document as filename: OLE_DOCUMENT__1__1.bin


        !!! OLE_DOCUMENT has been found and dumped. This should be re-scanned wi
th officemalscanner now !!!

                 !!! This file contains overlay data, which is unsual for legiti
mate rtf-files !!!


Analysis finished!

----------------------------------------------
1 seems to be malicious! Malicious Index = 60
----------------------------------------------