AhnLab Security Center


PowerShell Attack on MS Office Documents


The September 12, 2017 Microsoft updated the patch for a vulnerability of Microsoft Office RTF document, which an attacker can exploit to inject Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) parser codes.


The vulnerability (CVE-2017-8759) could allow for arbitrary code execution inserted by the attacker while parsing the SOAP WSDL definitions in Windows .Net Framework.


The malicious email attachment, Rich Text File (RTF) file displays content as shown in Figure 1, when executed. However, when executed, it in fact exploits the CVE-2017-8759 vulnerability to introduce malware by downloading and executing additional malicious files.


[Figure 1] Malicious RTF file 


Figure 2 shows that this malware includes a similar use of the OLE link object type to the CVE-2017-0199 vulnerability.



[Figure 2] OLE autolink object type contained in the RTF file


As shown in Figure 3, the WSDL file, describing XML-based interface to a web service, is downloaded through the SOAP Moniker and then compiled into the .Net code shown in Figure 4. 


[Figure 3] SOAP WSDL file downloaded with SOAP Moniker 


By exploiting the vulnerability, the downloaded .hta file is executed via mshta.exe as shown in Figure 4.



[Figure 4] An .hta file executed via mshta.exe


Then the .hta file downloads and executes the final executable file through the PowerShell command as shown in Figure 5. The file, which carries out the final malicious activity, is disguised as a Chrome browser file shown as Figure 6.


[Figure 5] Final executable file in a portable executable format



[Figure 6] Chrome browser disguised file 


The file copies and registers itself in a registry, causing it to run automatically every time Windows starts.


Once the malicious file has completed self-copying and auto-run registration, it is expected to attempt a connection with the C&C server and conduct malicious activities through further commands.


The malware, which exploits CVE-2017-8759 vulnerability, is expected to be identified as a remote malware similar to FINSPY. Thus systems with .NET Framework must be updated as it may be used for other activities to spread malware in the future.


In addition, it is important to not open suspicious mail from an unknown sender or download and run any suspicious attachments to prevent malware infection on your computer in the first place.


The aliases identified by AhnLab’s security solutions are as below:

<Aliases identified by AhnLab V3>

- RTF/Cve-2017-8759

- Trojan/Win32.Agent

<Aliases identified by AhnLab MDS>

- Exploit/RTF.ROP

- Suspicious/MDP.Behavior