TL;DR#
A malicious RTF document contains an embedded OLE2Link object that, upon opening, silently fetches a remote HTA file from 192.168.248.129:8080 and executes it via mshta.exe — no user interaction required beyond opening the document.
Initial Analysis#
1msf.doc: Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
rtfobj identified an embedded OLE object of class OLE2Link containing a URL pointing to a remote HTA file:
1$ rtfobj msf.doc
2===============================================================================
3File: 'msf.doc' - size: 5743 bytes
4---+----------+---------------------------------------------------------------
5id |index |OLE Object
6---+----------+---------------------------------------------------------------
70 |000001B4h |format_id: 2 (Embedded)
8 | |class name: b'OLE2Link'
9 | |data size: 2560
10 | |MD5 = '053ba4dffb352244944dba6f29957f4c'
11 | |CLSID: 00000300-0000-0000-C000-000000000046
12 | |StdOleLink (embedded OLE object - Known Related to
13 | |CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 or CVE-2018-8174)
14 | |Possibly an exploit for the OLE2Link vulnerability (VU#921560,
15 | |CVE-2017-0199)
16 | |URL extracted: http://192.168.248.129:8080/default.hta
17---+----------+---------------------------------------------------------------
CVE-2017-0199 is a Microsoft Office vulnerability that allows a malicious RTF document to automatically fetch and execute a remote HTA file via mshta.exe when the document is opened — without requiring macros to be enabled or any additional user interaction.
IOCs#
Files
- msf.doc — malicious RTF document
- MD5: 053ba4dffb352244944dba6f29957f4c
Network
- C2 Server: 192.168.248.129
- C2 Port: 8080/tcp
- Payload URL: http://192.168.248.129:8080/default.hta