Last Updated: 2018-02-12 07:06:02 UTC
by Didier Stevens (Version: 1)
I received a malicious RTF file with several stages (PowerShell commands), containing Gzip compressed shellcode.
rtfdump shows the different elements of the RTF file:
We are interested in element 7 (containing a package)
This package contains a PowerShell command with BASE64 encoded commands.
base64dump can help us with the decoding:
PowerShell BASE64-encoded commands are UNICODE text, with utf16 we can convert it:
We notice another string of BASE64 text. Remark also the GzipStream object created at the end: this is a strong indication that the decode BASE64 data must be decompressed for further analysis:
Decompressing Gzip data can be done with translate:
Here we see yet another BASE64 string, and WIN32 API functions like VirtualAlloc and CreateThread, a strong indication that shellcode will be written to memory and executed.
Remark the User Agent String and IP address in this shellcode. To analyze shellcode, I often use the shellcode emulator scdbg.exe:
From the emulation report, we can see that this shellcode creates a TCP connection to port 4444, the default port used by Metasploit's reverse shells.
Remark that scdbg.exe emulates shellcode, it does not execute shellcode: no TCP connection is established. I prefer scdbg.exe over sctest from libemu because it emulates more WIN32 API functions, hence I will also use it on OSX and Linux with wine.