CVE2017-0199 RTF Exploit Analysis

malware analysis CVE2017-0199
CVE2017-0199 utilizes a link type confusion vulnerability in RTF documents to download malicious HTA files from remote servers.


CVE-2017-0199 is a critical remote code execution vulnerability that affects various Microsoft Office products, including Word, PowerPoint, and Excel. This vulnerability allows an attacker to embed a malicious link or file within a document, and when a user opens the document, the attacker can execute arbitrary code on the victim's system.

General Analysis

To analyze a sample of a document that may contain the CVE-2017-0199 exploit, follow these steps:

Obtain a sample of the document: The first step is to obtain a sample of the document that may contain the exploit. This can be done by downloading a suspicious email attachment or document from a website.

Analyze the file properties: The next step is to analyze the properties of the file. This can be done by right-clicking on the file and selecting Properties. Look for any unusual information in the details tab such as the author, date created or modified, and digital signatures. If there are digital signatures, look to see if they are valid and match the expected signer. You can also use the file command on Linux to see the file type, and check for any unusual metadata.

Examine the file with a hex editor: A hex editor allows you to examine the file's contents. Search for the OLE signature, "D0 CF 11 E0 A1 B1 1A E1," which identifies the file as an OLE2 file, the format of Microsoft Office documents. Look for any strings that may indicate the presence of an exploit, such as HTTP or shellcode. You can use tools such as Hexinator or HxD to view and edit the file.

Open the file in a sandbox environment: Open the file in a virtual machine or a sandbox environment to see if it triggers any malicious activity. Observe any network activity, such as outbound connections or attempted downloads, and any changes to the file system or registry. You can use tools such as VirtualBox or Sandboxie to create a sandboxed environment.

Use a malware analysis tool: Use a malware analysis tool, such as Cuckoo Sandbox, Hybrid-Analysis, or VirusTotal, to automatically analyze the sample. These tools can help identify any malicious behavior and provide information about the exploit, such as its hashes or other indicators of compromise. You can also use tools like Yara rules to identify known malware patterns.

Review the logs: Finally, review the logs generated by the analysis tools and the sandbox environment. Look for any indications of malicious activity, such as the execution of unknown processes, network traffic to suspicious IP addresses, or unusual registry or file changes. You can use tools like Wireshark or Process Monitor to analyze system logs and network traffic.

By following these steps, you can identify and analyze the CVE-2017-0199 vulnerability and take steps to mitigate its impact. It's important to stay vigilant and keep your systems updated with the latest security patches to protect against known vulnerabilities. In addition, using security tools like firewalls, antivirus, and intrusion detection systems can help prevent malicious attacks from compromising your system.