Malicious Document

In this LetsDefend challenge, we received a notification that a malicious ZIP folder, "factura[.]zip" was discovered to be executed on our network.

I began my investigation by first running the folder through VirusTotal, which had a few reports of it being a Trojan/RTF Exploit. Under the relations tab, there was an associated document called "factura.doc" that had been reported numerous times in the security community as a very malicious RTF Exploit malware.

I discovered this malware had actually been associated with CVE-2017-11882, which according to NIST, was an exploit of several Microsoft Office service packs that allow an attacker to run arbitrary code on behalf of the active user by failing to properly handle objects in memory, otherwise known as a "Corruption Vulnerability."

To further understand this exploit, I opened the file in an AnyRun sandbox and observed the generation of an equation editor process that attempted a connection with "seed-bc[.]com" domain to download "jan2.exe."

The connection was attempted to IP 185.36.74.48 over port 80. Historically, there was an additional child process that was supposed to be executed as the malware ran, called "aro.exe," however my instance did not produce such results. Looking through the public tasks involving this file done by others in the security community, others were not witnissing this process either. Perhaps configurations of the requested domain had changed or the domain was deactivated, indicated by the 404 response in the HTTP requests tab. Either way, this file clearly still represents a potential threat.