A quick analysis malicious RTF to write yara rule part 1

@r00tbsd and @securitybeard have written a article about “a new campaign involving the FormBook malware”.

In the chain infection, there is a rtf document that exploits Office with the vulnerability on equation rendering in Office product. (CVE-2017–11882)

I’ve decided to analyze the rtf 541ea322a3a6385211566f95cef333580a62341dac397e044a04504625acdd0d with rtfobj of oletools:

The exploit invoke the com object of Microsoft Equation with CLSID: 0002CE02–0000–0000-C000–000000000046

So it’s possible to write a yara rule with the CLSID and bits of exploits at offset 450.

rtfobj -s all -d . 541ea322a3a6385211566f95cef333580a62341dac397e044a04504625acdd0d

and at offset 800 the exploit like the article of Talos:

If you use the function similar with Virustotal, we found:

009073e675d2afb594dd76281d31623b3d5f2fe04fefba2c5649ab2a01ec0757
0948e890b944755fe8d8799a83636a2e4fb87ccbe375b0cdbc28165043844b95
1075b35bba735e0fe5f7c7d5c5995e6681d18f3952ca77dd99f5c3e2d6f57a9e
1bfea24319f13f40d789b0eca7566f54603541f88ce903f2993eb30cda578c7b
1c0bea3fb8fe00435688180f339001875bbf120cff94fd3fdb38fd24344f3c23
331db4fc16d6bdfc83f8cfcc835550bf1b293e9ee3ec61400f2ff47336fb39cd
346deafae9b1b7e8d6e18922fd2f032ef1ee95f4c353e9d4a895b6bf37ce1f9c
36f4ce57ce3914f0d85be99d96b92768ce809916914a40b5ac2a59b9666a390b
4c18ef75ba7626a423955fd501657720fa66e2dc64fed30822ea3dd9ccfd6c9e
500bdaf88b45e73e7b33a0842396c198595478067ffdd331b092301731dccd26
69d8d5481706da4091b14e5ffd99165ae0d0ef4be7c1e6f4c3a07442a584f710
6ac5cd04c452b964f117945f5e6dee85be5d3221f2e1fae728f08f8b52cbfe50
6f5318bb6e997c289856e9a6a2c863afef54c8c0884eb7de5c5bc629e3b7cfcf
7582896a7d743b0aea156ed12e582714ad1ff89c3f1c38549e615ecb15c261bf
75d5289c3a35d526bf27318ccc4f73ed3f5cc7952712af183d9445d87cc6745f
7ac6d53079b80ad54d2f2748bb461594393ad3c703aae8a0d355dd8ab04f72b1
8178a63c7112b2a57ea7a49f05277b2ca4dc5f9f0ef5c4e6353f97e8709cbfd6
854f3198651b4d83768344654c6f1aa4ed39cc5d2f7d6f2bb315edb52d5fb59b
bbb2d4565a6b5832bec0a423b68ab95ad917765e89ac48b9a15ac764fc23b835
c687fae4012aff7e229bfec48728ffd8f1379a36a33514010a71e6a4b6edb1f5
de20d0cc5bb7f1ece442f72b8d1ce51cb436ab3c7eb0c157810366cfdae87d18
e9f06652ff6a1db92ddfe2ad5f2ebd0d73ea5b54c71947d92c13a4b5cc69ff36
eed572a9367b96b525385ea5b63b6cc8bcd7ef9eb0007a4513391f82da596a2c
f2bb1cc889eff409c1613e5268e4cb8eb7ba52f3c389b57f9246ea59e8de52db

If i check f2bb1cc889eff409c1613e5268e4cb8eb7ba52f3c389b57f9246ea59e8de52db,

the MTEF here is 0x02 and not 0x03 at offset 0x804 like the article of Talos and there is the CLSID of Microsoft Equation.

So the yara rule to detect the exploit can be:

rule ole_eploit {
 strings:
 $a = { 02 ce 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 }
 $b = { [2–3] ?? ?? ?? ?? ?? ?? 08 ?? ??}
 condition:
 $a and $b
}

$a is the CLSID of Microsoft Equation

And $b the start of MTEF header [2–3] ?? ?? ?? ?? ?? ?? and 08 ?? ?? for the font.

so you can automatize with rtfobj and yara to hunt this kind of exploit.

https://blog.talosintelligence.com/2018/06/my-little-formbook.html?m=1