Emprisa Maldoc

Always open malware in a secure environment like a VM.

We will be using the REMnux distribution which is specifically made for reverse engineering.

Q1. What is the CVE ID of the exploited vulnerability?

Let's find the file hash using md5sum.

$ md5sum c39-EmprisaMaldoc.rtf 
d82341600606afcf027646ea42f285ae  c39-EmprisaMaldoc.rtf

We can search the file hash or just open the file in VirusTotal in order to find the CVE ID.

Answer

// Some code

Q2. To reproduce the exploit in a lab environment and mimic a corporate machine running Microsoft office 2007, a specific patch should not be installed. Provide the patch number.

Microsoft released a patch in 2017 for this vulnerability.

We can see the patch number mentioned in Method 3.

Q3. What is the magic signature in the object data?

The rtfdump tool help with this task.

$ rtfdump.py c39-EmprisaMaldoc.rtf 
    1 Level  1        c=    3 p=00000000 l=    8238 h=    7903;    4678 b=       0   u=      17 \rtf1
    2  Level  2       c=    1 p=00000034 l=      37 h=       3;       2 b=       0   u=       5 \fonttbl
    3   Level  3      c=    0 p=0000003d l=      27 h=       3;       2 b=       0   u=       5 \f0
    4  Level  2       c=    0 p=0000005c l=      30 h=      11;       4 b=       0   u=       5 \*\generator
    5  Level  2       c=    3 p=000000b2 l=    8054 h=    7889;    4678 b=       0   u=       7 \object
    6   Level  3      c=    0 p=000000cb l=      22 h=       3;       1 b=       0   u=       7 \*\objclass Equation.3
    7   Level  3      c=    0 p=000000f3 l=    7267 h=    7254;    4678 b=       0 O u=       0 \*\objdata
      Name: b'Equation.3\x00' Size: 3584 md5: 86e11891181069b51cc3d33521af9f1e magic: d0cf11e0
    8   Level  3      c=    1 p=00001d58 l=     719 h=     632;      78 b=       0   u=       0 \result
    9    Level  4     c=    1 p=00001d60 l=     710 h=     632;      78 b=       0   u=       0 \pict
   10     Level  5    c=    0 p=00001d66 l=      10 h=       0;       0 b=       0   u=       0 \*\picprop
   11 Remainder       c=    0 p=00002030 l=       1 h=       0;       0 b=       0   u=       0 
      Only whitespace = 1

Q4. What is the name of the spawned process when the document gets opened?

On opening the file with Any.Run, we can see that there is EQNEDT32.EXE process.

This process makes connections with a Github account which is malicious behaviour.

Q5. What is the full path of the downloaded payload?

$ rtfobj -s 0 c39-EmprisaMaldoc.rtf

$ strings c39-EmprisaMaldoc.rtf_object_000000FE.bin
Microsoft Equation 3.0
DS Equation
Equation.3
8GetPu
rocAu
ddreu
Qh.exehC:\oSRQharyAhLibrhLoadTS
YPQf
llQhon.dhurlmT
eAQ3
hoFilhoadThownlhURLDTP
T$$QQR
Z[SRQhxeca
hWinETS
Z[hessa
ahProchExitTS
https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png

Q6. Where is the URL used to fetch the payload?

The answer is present in the final line of the last command output.

$ strings c39-EmprisaMaldoc.rtf_object_000000FE.bin
--snip--;
https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png

Q7. What is the flag inside the payload?

Let's download the file from the URL we found for the previous question. We can use wget or curl for this task.

$ wget https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png
--2023-07-21 11:33:41--  https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
Saving to: ‘test.png’

test.png                                             100%[=====================================================================================================================>]      14  --.-KB/s    in 0s      

2023-07-21 11:33:42 ERROR 404: Not Found.

Then we can grep for the word flag piped with the strings command.

Last updated 9 months ago

$ rtfdump.py c39-EmprisaMaldoc.rtf 1 Level 1 c= 3 p=00000000 l= 8238 h= 7903; 4678 b= 0 u= 17 \rtf1 2 Level 2 c= 1 p=00000034 l= 37 h= 3; 2 b= 0 u= 5 \fonttbl 3 Level 3 c= 0 p=0000003d l= 27 h= 3; 2 b= 0 u= 5 \f0 4 Level 2 c= 0 p=0000005c l= 30 h= 11; 4 b= 0 u= 5 \*\generator 5 Level 2 c= 3 p=000000b2 l= 8054 h= 7889; 4678 b= 0 u= 7 \object 6 Level 3 c= 0 p=000000cb l= 22 h= 3; 1 b= 0 u= 7 \*\objclass Equation.3 7 Level 3 c= 0 p=000000f3 l= 7267 h= 7254; 4678 b= 0 O u= 0 \*\objdata Name: b'Equation.3\x00' Size: 3584 md5: 86e11891181069b51cc3d33521af9f1e magic: d0cf11e0 8 Level 3 c= 1 p=00001d58 l= 719 h= 632; 78 b= 0 u= 0 \result 9 Level 4 c= 1 p=00001d60 l= 710 h= 632; 78 b= 0 u= 0 \pict 10 Level 5 c= 0 p=00001d66 l= 10 h= 0; 0 b= 0 u= 0 \*\picprop 11 Remainder c= 0 p=00002030 l= 1 h= 0; 0 b= 0 u= 0 Only whitespace = 1

$ strings c39-EmprisaMaldoc.rtf_object_000000FE.bin Microsoft Equation 3.0 DS Equation Equation.3 8GetPu rocAu ddreu Qh.exehC:\oSRQharyAhLibrhLoadTS YPQf llQhon.dhurlmT eAQ3 hoFilhoadThownlhURLDTP T$$QQR Z[SRQhxeca hWinETS Z[hessa ahProchExitTS https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png

$ wget https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png --2023-07-21 11:33:41-- https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.111.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected. HTTP request sent, awaiting response... 404 Not Found Saving to: ‘test.png’ test.png 100%[=====================================================================================================================>] 14 --.-KB/s in 0s 2023-07-21 11:33:42 ERROR 404: Not Found.