by RSS Bahare Sabouri and He Xu  |  May 30, 2017  |  Filed in: Security Research


CVE-2017-0199 is a remote code execution vulnerability that exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploits this vulnerability can take control of an affected system and then install programs, view, change, or delete data, or create new accounts with full user rights.

Microsoft issued a patch for this vulnerability April, and most security vendors have published alarms for it. Unfortunately, attacks targeting this vulnerability are still widely being used in the wild.

One of our FortiSandbox devices recently detected a suspicious RTF (Rich Text Format) file that it tagged as high risk. We here at FortiGuard Labs did some further investigation of the sample and found some interesting things. In this blog post, we will share what we found and attempt to reproduce the entire attack route.

Attack Route

Stage 1

The high risk RTF file arrives in a spear phishing email as an attachment. When the victim opens the file with a vulnerable version of MS Word, the exploit is activated. Next, it proceeds to download a malicious HTA file from  “http://5{REMOVED}.161/wstat/?id=77778888&act=1”, as seen in Figure 1.

Figure 1: Exploit retrieves an HTA file from the remote server

At the same time, the sample drops an embedded PE file in a temporary folder and names it “~WRF{C8E5B819-8668-4529-B7F9-2AB23E1F7F68}.tmp”. Figure 2 shows the embedded PE file.

Figure 2: Embedded PE file in the RTF sample

The downloaded HTA file is launched automatically. It executes the dropped PE file and performs some further attacks, according to its configuration. It is important to note that the HTA payload supports multi-vector attacks, as seen in Figure 3.

Figure 3: HTA configuration code

At the same time, it also collects system information according to its configuration, and sends the encoded data back to its C&C server (Figure 4.)

     Figure 4: Uploading the victim system report to the server

The sample we analyzed retrieved system information, anti-virus information, process list, and attack payload status (Figure 5.)

Figure 5: Collected data

Stage 2

There are many different attack approaches in HTA file, such as:

●      Executing a remote executable file / DLL file / ScriptLet file

●      Executing a local executable file / DLL file / ScriptLet file

In this attack, the payload is pretty straightforward to execute the local executable file (embedded in the malware). But we also discovered two additional payloads: a remote executable file and a ScriptLet file (these two payloads weren’t involved in this current attack).

The ScriptLet payload could be used to bypass Applocker to load a real attack payload (Figure 6.)

Figure 6: ScriptLet payload (not used in this attack)

In this scenario, the core payload file retrieves a DLL file using an HTTPS protocol received from the remote C&C server, https://176.{removed}.134/MAUy, which stores the file in memory and then jumps to the first byte to execute it (Figure 7.)

Figure 7: Memory only DLL

The full attack route is pretty simple, but quite efficient. Figure 8 shows the attack scenario:

Figure 8: Attack Route


This attack exposes vulnerable systems to significant risk. Failure to employ a patching protocol has been the root cause of a number of recent attacks. To fix the vulnerability discussed in the analysis, Fortinet recommends you install this Microsoft security update.

Spear phishing is always a dangerous attack vector that often carries recent vulnerability exploits. To stay safe, be cautious when opening any emails coming from an unknown source.

Sample Information

RTF file:

MD5: d4ff8e87f66150e36e4f70c65f422524

SHA256: 2a918030be965cd5f365eb28cd5a0bebec32d05c6a27333ade3beaf3c54d242c

Fortinet Detection Name: W32/Snojan.BMST!tr

Dropped executable:

MD5: c4505c6a6b148c3d7b5f4d756f49dbdf

SHA256: 39ac90410bd78f541eb42b1108d2264c7bd7a5feafe102cd7ac8f517c1bd3754

Fortinet Detection Name: W32/Snojan.BMST!tr

HTA file:

MD5: 2c085826d56eb39570d0d76e34d52052

SHA256: 326a01a5e2eeeeebe3dade94cf0f7298f259b72e93bd1739505e14df3e7ac21e

Fortinet Detection Name: VBS/Dlr.A!tr

by RSS Bahare Sabouri and He Xu  |  May 30, 2017  |  Filed in: Security Research