{
	"id": "99d9a481-21a2-4b3a-8e52-2d186124d9d1",
	"created_at": "2026-04-06T01:31:08.959646Z",
	"updated_at": "2026-04-10T03:21:15.612499Z",
	"deleted_at": null,
	"sha1_hash": "a74848612e449c95a8c0b9a63db1574368c14d3c",
	"title": "CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2821251,
	"plain_text": "CVE-2017-11826 Exploited in the Wild with Politically Themed\r\nRTF Document\r\nBy Jasper Manuel, Joie Salvio, Wayne Low\r\nPublished: 2017-11-22 · Archived: 2026-04-06 01:07:14 UTC\r\nRecently, FortiGuard Labs found an interesting malware campaign using the recently documented vulnerability\r\nCVE-2017-11826 that was patched by Microsoft in October of this year. A detailed analysis of this exploit is also\r\nincluded in this article.\r\nBased on the context of the campaign used to lure victims, as well as how the payload malware behaves, we had a\r\nhunch that this was not a common cybercrime campaign and was even possibly a targeted attack on specific\r\ninstitutions or locales. For this reason, we decided to look deeper.\r\nAs is common with this type of attack, the command-and-control (C2) server for this campaign was only\r\naccessible for a short period of time. This means information from a dynamic analysis is very limited. However, it\r\nis also important to know what an attack is capable of doing once it is inside a victim’s system. Not only does this\r\nhelp identify the scope of the possible damage it may have caused, but it can also be a basis for future mitigations.\r\nIn this case, with regards to the payload, we had to resort to static analysis tools techniques to somehow simulate\r\nwhat would happen if the C2 were alive. In the end, we were able to identify and collect this information.\r\nThe Politically-themed Bait\r\nThe attack vector is a malicious Rich Text Format (RTF) file that uses targeted, politically themed content to\r\nattract a user into opening the file. When the RTF file is executed, it displays a text about Aqua Mul Mujahidin, a\r\njihadist group which advocates for militant resistance in the Rakhine State of Myanmar.\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 1 of 17\n\nFigure 1: Initial document\r\nAfter the exploit triggers, another decoy document is shown to the user. This time the text is about the power\r\nstruggle in Saudi Arabia which was obviously drawn from an online article entitled Saudi Arabia’s ‘Game of\r\nThobes’.\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 2 of 17\n\nFigure 2: Decoy document\r\nWe are unsure how the contents are linked, but this is clearly an attempt to lure in and trick a user with a specific\r\ninterest in or knowledge of these events into thinking that the documents are benign. In reality, the exploit is\r\nworking its way in the background to deliver a malware that could take hold of the unaware victim’s system.\r\nDissecting CVE-2017-11826 RTF Document\r\nGenerally, an RTF exploit uses OLE to enclose payloads within the document itself. The following analysis\r\ndemonstrates how to locate and extract the exploit’s payloads by using open-source tools.\r\nRtfdump.py by Didier Stevens enables the listing of all control words defined in the RTF file. The particular\r\ncontrol word of our interest, named “\\object”, is used to define the embedded OLE object:\r\nE:\\rtfdump_V0_0_3\u003ertfdump.py -d E:\\CVE-2017-11826\\cve-2017-11826_rtf | findstr /I \"object\"\r\n 1698 Level 2 c= 3 p=000396d9 l= 217 h= 126 b= 0 u= 4 \\object\r\n 1703 Level 2 c= 3 p=000397b3 l= 106721 h= 106600 b= 0 u= 10 \\object\r\n 1708 Level 2 c= 3 p=00053895 l= 28897 h= 28776 b= 0 u= 10 \\object\r\nE:\\rtfdump_V0_0_3\u003ertfdump.py -d E:\\CVE-2017-11826\\cve-2017-11826_rtf -s 1698 \u003e object_1698.bin\r\nE:\\rtfdump_V0_0_3\u003ertfdump.py -d E:\\CVE-2017-11826\\cve-2017-11826_rtf -s 1703 \u003e object_1703.bin\r\nE:\\rtfdump_V0_0_3\u003ertfdump.py -d E:\\CVE-2017-11826\\cve-2017-11826_rtf -s 1708 \u003e object_1708.bin\r\nListing 1:  Using rtfdump.py to locate embedded objects\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 3 of 17\n\nFigure 3: The output from extracting three different objects found in the RTF exploit\r\nThe purpose of OLE object #1698 is to automatically load the COM DLL, C:\\Windows\\system32\\msvbvm60.dll,\r\ninto the Microsoft Word process address space by specifying CLSID {D5DE8D20-5BB8-11D1-A1E3-\r\n00A0C90F2731} in the “\\oleclsid” control word. The COM DLL does not have the address space layout\r\nrandomization compiler feature enabled. Hence, exploiters often take advantage of this DLL to build an exploit\r\nchain for vulnerable Microsoft Office suites. On the other hand, the dumped objects #1703 and #1708 appear to be\r\nWord documents, as indicated by the “\\objclass” control word in the above figure. However, the OLE objects are\r\nrepresented in hex-string, so we need to convert the hex-string to binary format in order to read them. For this,\r\nOletools’s RTFObj by Decalage can be used:\r\nC:\\Python27\\Lib\\site-packages\\oletools\\rtfobj.py -s all E:\\CVE-2017-11826\\object_1703.bin\r\nrtfobj 0.50 - http://decalage.info/python/oletools\r\nTHIS IS WORK IN PROGRESS - Check updates regularly!\r\nPlease report any issue at https://github.com/decalage2/oletools/issues\r\n===============================================================================\r\nFile: 'E:\\\\CVE-2017-11826\\\\object_1703.bin' - size: 106713 bytes\r\n---+----------+-------------------------------+-------------------------------\r\nid |index |OLE Object |OLE Package\r\n---+----------+-------------------------------+-------------------------------\r\n0 |0000004Ch |format_id: 2 |Not an OLE Package\r\n | |class name: 'Word.Document.12' |\r\n | |data size: 53248 |\r\n---+----------+-------------------------------+-------------------------------\r\nSaving file embedded in OLE object #0:\r\n format_id = 2\r\n class name = 'Word.Document.12'\r\n data size = 53248\r\n saving to file E:\\\\CVE-2017-11826\\\\object_1703.bin_object_0000004C.doc\r\nC:\\Python27\\Lib\\site-packages\\oletools\\rtfobj.py -s all E:\\CVE-2017-11826\\object_1708.bin\r\nrtfobj 0.50 - http://decalage.info/python/oletools\r\nTHIS IS WORK IN PROGRESS - Check updates regularly!\r\nPlease report any issue at https://github.com/decalage2/oletools/issues\r\n===============================================================================\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 4 of 17\n\nFile: 'E:\\\\CVE-2017-11826\\\\object_1708.bin' - size: 28889 bytes\r\n---+----------+-------------------------------+-------------------------------\r\nid |index |OLE Object |OLE Package\r\n---+----------+-------------------------------+-------------------------------\r\n0 |0000004Ch |format_id: 2 |Not an OLE Package\r\n | |class name: 'Word.Document.12' |\r\n | |data size: 14336 |\r\n---+----------+-------------------------------+-------------------------------\r\nSaving file embedded in OLE object #0:\r\n format_id = 2\r\n class name = 'Word.Document.12'\r\n data size = 14336\r\n saving to file E:\\CVE-2017-11826\\object_1708.bin_object_0000004C.doc\r\nListing 2: Output after converting Word documents from hex-string to binary format\r\nTo summarize, both of the extracted documents are OLE files with embedded DOCX, which is a zipped XML-based document using Package as its stream name. We can dump the contents of Package using oledump.py by\r\nDidier Stevens:\r\nE:\\Oledump\\oledump_V0_0_3oledump.py E:\\CVE-2017-11826\\object_1703.bin_object_0000004C.doc\r\n 1: 114 '\\x01CompObj'\r\n 2: 6 '\\x03ObjInfo'\r\n 3: 50517 'Package'\r\nE:\\Oledump\\oledump_V0_0_3\u003eoledump.py -s 3 -d E:\\CVE-2017-11826\\object_1703.bin_object_0000004C.doc \u003e object_1703\r\nE:\\Oledump\\oledump_V0_0_3\u003eoledump.py E:\\CVE-2017-11826\\object_1708.bin_object_0000004C.doc\r\n 1: 114 '\\x01CompObj'\r\n 2: 6 '\\x03ObjInfo'\r\n 3: 11304 'Package'\r\nE:\\Oledump\\oledump_V0_0_3\u003eoledump.py -s 3 -d E:\\CVE-2017-11826\\object_1708.bin_object_0000004C.doc \u003e object_1708\r\nListing 3: The result of dumping the DOCX files embedded in the Word document\r\nBased on the results from oledumpy.py, we can determine that object_1703_Package.docx serves as a heap spray\r\ncomponent, which is a technique to allocate a big chunk of memory address with the attacker’s controlled data\r\ndefined in ActiveX objects (eg: activeX1.bin) found in an unzipped DOCX file:\r\nE:\\CVE-2017-11826\\object_1703_Package\u003edir .\\word\\activeX\\activeX*\r\n Volume in drive E is Seagate Expansion Drive\r\n Volume Serial Number is 1E12-60A4\r\n Directory of E:\\CVE-2017-11826\\object_1703_Package\\word\\activeX\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 5 of 17\n\n17/09/2017 05:12 PM 2,099,200 activeX1.bin\r\n17/09/2017 05:12 PM 299 activeX1.xml\r\n17/09/2017 05:12 PM 299 activeX10.xml\r\n17/09/2017 05:12 PM 299 activeX11.xml\r\n17/09/2017 05:12 PM 299 activeX12.xml\r\n17/09/2017 05:12 PM 299 activeX13.xml\r\n17/09/2017 05:12 PM 299 activeX14.xml\r\n17/09/2017 05:12 PM 299 activeX15.xml\r\n17/09/2017 05:12 PM 299 activeX16.xml\r\n17/09/2017 05:12 PM 299 activeX17.xml\r\n17/09/2017 05:12 PM 299 activeX18.xml\r\n17/09/2017 05:12 PM 299 activeX19.xml\r\n17/09/2017 05:12 PM 299 activeX2.xml\r\n17/09/2017 05:12 PM 299 activeX20.xml\r\n17/09/2017 05:12 PM 299 activeX21.xml\r\n17/09/2017 05:12 PM 299 activeX22.xml\r\n17/09/2017 05:12 PM 299 activeX23.xml\r\n17/09/2017 05:12 PM 299 activeX24.xml\r\n17/09/2017 05:12 PM 299 activeX25.xml\r\n17/09/2017 05:12 PM 299 activeX26.xml\r\n17/09/2017 05:12 PM 299 activeX27.xml\r\n17/09/2017 05:12 PM 299 activeX28.xml\r\n17/09/2017 05:12 PM 299 activeX29.xml\r\n17/09/2017 05:12 PM 299 activeX3.xml\r\n17/09/2017 05:12 PM 299 activeX30.xml\r\n17/09/2017 05:12 PM 299 activeX31.xml\r\n17/09/2017 05:12 PM 299 activeX32.xml\r\n17/09/2017 05:12 PM 299 activeX33.xml\r\n17/09/2017 05:12 PM 299 activeX34.xml\r\n17/09/2017 05:12 PM 299 activeX35.xml\r\n17/09/2017 05:12 PM 299 activeX36.xml\r\n17/09/2017 05:12 PM 299 activeX37.xml\r\n17/09/2017 05:12 PM 299 activeX38.xml\r\n17/09/2017 05:12 PM 299 activeX39.xml\r\n17/09/2017 05:12 PM 299 activeX4.xml\r\n17/09/2017 05:12 PM 299 activeX40.xml\r\n17/09/2017 05:12 PM 299 activeX5.xml\r\n17/09/2017 05:12 PM 299 activeX6.xml\r\n17/09/2017 05:12 PM 299 activeX7.xml\r\n17/09/2017 05:12 PM 299 activeX8.xml\r\n17/09/2017 05:12 PM 299 activeX9.xml\r\n 41 File(s) 2,111,160 bytes\r\n 0 Dir(s) 357,963,862,016 bytes free\r\nListing 4: The content of #1703’s unzipped DOCX\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 6 of 17\n\nOn the other hand, the object_1708_Package.docx contains multiple XML files, which can be easily observed\r\nafter you unzip the DOCX and it has been parsed by Microsoft Word. Based on our past experience, there should\r\nbe malformed XML file(s) that could trigger the CVE-2017-11826 vulnerability. Since there are typically multiple\r\nXML files included in DOCX, it would be time consuming to look for the malformed XML file(s). So we decided\r\nto fire up debugger to locate the culprit.\r\nUnderstanding the Root Cause of CVE-2017-11826 Vulnerability\r\nPlease take note that the following analysis is based on wwlib.dll 14.0.7182.5000 running on Microsoft Word\r\n2010 32-Bit.\r\nListing 6, below, shows the crash context when object_1708_Package.docx is opened under a vulnerable\r\nwinword.exe using the debugger:\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=088888ec ebx=00000000 ecx=00000000 edx=00000004 esi=054cb29c edi=1014c8cc\r\neip=68bb962d esp=001c3358 ebp=001c33c4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Microsoft Office\\Of\r\nwwlib!DllGetClassObject+0xf2e3d:\r\n68bb962d ff5104 call dword ptr [ecx+4] ds:0023:00000004=????????\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Common Files\\Micros\r\n0:000\u003e kb\r\nChildEBP RetAddr Args to Child\r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n001c33c4 68ad1a32 00000000 001c3438 00000000 wwlib!DllGetClassObject+0xf2e3d\r\n001c3418 66524316 0000ffff 0000001a 0b648a94 wwlib!DllGetClassObject+0xb242\r\n001c3458 6634929f 11940fe4 0bf3ffac 00000027 mso!Ordinal6611+0x120\r\n001c34a8 71689441 0fb7ef6c 0b20dfb0 80000005 mso!Ordinal4512+0xa9d\r\n001c3514 7168941f 00000004 0b648a9c 0b648a90 msxml6!Reader::ParseElementN+0x379 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\read\r\n001c3560 7168941f 00000003 0b648a9c 0b648a90 msxml6!Reader::ParseElementN+0x268 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\read\r\n001c35ac 7168941f 00000002 0b648a9c 0b648a90 msxml6!Reader::ParseElementN+0x268 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\read\r\n001c35f8 7168941f 00000001 0b648a9c 0b648a90 msxml6!Reader::ParseElementN+0x268 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\read\r\n001c3644 7168941f 0b648a9c 0b648a90 00000000 msxml6!Reader::ParseElementN+0x268 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\read\r\n001c3690 716871df 0b648a90 00000000 00000000 msxml6!Reader::ParseElementN+0x268 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\read\r\n001c36a0 7168711b 83515133 0b648a90 0b5c0fe8 msxml6!Reader::ParseDocument+0x97 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\reade\r\n001c36dc 71689e2b 835150f3 001c3738 001c3788 msxml6!Reader::Parse+0xb1 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\reader\\reader\r\n001c371c 71687dcb 0b648a90 119a000d 001c48a8 msxml6!Reader::parse+0x162 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\reader\\reade\r\n001c376c 6634877d 0b648a90 119a000d 001c48a8 msxml6!SAXReader::parse+0x145 [d:\\w7rtm\\sql\\xml\\msxml6\\mx\\om\\saxrea\r\n001c379c 6652455b 00000000 119a000d 001c48a8 mso!Ordinal318+0x8a3\r\n001c37d4 68acede0 11940fe0 11b99ff0 0ffbcfec mso!Ordinal2664+0x234\r\n001c48a8 68acd3c5 0fbf0948 00000000 0fa1eff0 wwlib!DllGetClassObject+0x85f0\r\n001c5d80 68acc2db 001c603c 10198fe8 054cb250 wwlib!DllGetClassObject+0x6bd5\r\n001c6024 68acbeca 001c603c 40280000 00000030 wwlib!DllGetClassObject+0x5aeb\r\n001c609c 68acabee 0000000c 04012000 001c77a8 wwlib!DllGetClassObject+0x56da\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 7 of 17\n\n001c7794 68ac984d 0000000c 00000000 04012000 wwlib!DllGetClassObject+0x43fe\r\n001c7c3c 68b90b55 001c8584 00000001 00000000 wwlib!DllGetClassObject+0x305d\r\n001c9010 68b8f6ff 001c9334 001c932c 04012000 wwlib!DllGetClassObject+0xca365\r\n001c905c 68e53819 001c9334 001c932c 04012000 wwlib!DllGetClassObject+0xc8f0f\r\n001ca5b0 690b404a 001ca60c 00000824 00000000 wwlib!DllGetClassObject+0x38d029\r\n001cb65c 6890e9c5 001cbb50 ffffffff 00000001 wwlib!DllGetClassObject+0x5ed85a\r\n001cbb24 688ff4f7 00000003 001cbb50 00000001 wwlib!DllMain+0x11dd4\r\n001cdb94 6924b641 001cdc72 0000000a 001cdbfc wwlib!DllMain+0x2906\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for winword.exe -\r\n001cfd08 2fdd1c68 2fdd0000 00000000 023aefc9 wwlib!FMain+0x491\r\n001cfd2c 2fdd1ec2 2fdd0000 00000000 023aefc9 winword!wdGetApplicationObject+0x63a\r\n001cfdbc 76a4ef8c 7ffdc000 001cfe08 7755367a winword!wdGetApplicationObject+0x894\r\n001cfdc8 7755367a 7ffdc000 76598307 00000000 kernel32!BaseThreadInitThunk+0xe\r\n001cfe08 7755364d 2fdd2045 7ffdc000 ffffffff ntdll!__RtlUserThreadStart+0x70\r\n001cfe20 00000000 2fdd2045 7ffdc000 00000000 ntdll!_RtlUserThreadStart+0x1b\r\n0:000\u003e ub . l10\r\nwwlib!DllGetClassObject+0xf2e13:\r\n68bb9603 752d jne wwlib!DllGetClassObject+0xf2e42 (68bb9632)\r\n68bb9605 8bb6f0170000 mov esi,dword ptr [esi+17F0h]\r\n68bb960b 8b06 mov eax,dword ptr [esi]\r\n68bb960d 8b10 mov edx,dword ptr [eax]\r\n68bb960f 4a dec edx\r\n68bb9610 4a dec edx\r\n68bb9611 8bce mov ecx,esi\r\n68bb9613 e8ee70d4ff call wwlib!DllMain+0x3b15 (68900706)\r\n68bb9618 8b4044 mov eax,dword ptr [eax+44h]\r\n68bb961b 8b4044 mov eax,dword ptr [eax+44h]\r\n68bb961e 8b4f44 mov ecx,dword ptr [edi+44h]\r\n68bb9621 894144 mov dword ptr [ecx+44h],eax // EAX=088888ec\r\n68bb9624 8b4744 mov eax,dword ptr [edi+44h]\r\n68bb9627 8b4044 mov eax,dword ptr [eax+44h]\r\n68bb962a 8b08 mov ecx,dword ptr [eax]\r\n68bb962c 50 push eax\r\n68bb962d ff5104 call dword ptr [ecx+4] ds:0023:00000004=????????\r\nListing 5: Microsoft Word crash context\r\n0:000\u003e r\r\neax=088888ec ebx=00000000 ecx=00000000 edx=00000004 esi=054cb29c edi=1014c8cc\r\neip=68bb962d esp=001c3358 ebp=001c33c4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\nwwlib!DllGetClassObject+0xf2e3d:\r\n68bb962d ff5104 call dword ptr [ecx+4] ds:0023:00000004=????????\r\n0:000\u003e dc 088888ec\r\n088888ec 00000000 00000000 00000000 00000000 ................\r\n088888fc 00000000 00000000 00000000 00000000 ................\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 8 of 17\n\n0888890c 00000000 00000000 00000000 00000000 ................\r\n0888891c 00000000 00000000 00000000 00000000 ................\r\n0888892c 00000000 00000000 00000000 00000000 ................\r\n0888893c 00000000 00000000 00000000 00000000 ................\r\n0888894c 00000000 00000000 00000000 00000000 ................\r\n0888895c 00000000 00000000 00000000 00000000 ................\r\nListing 6: Empty vftable results in an invalid function call dereference\r\nIn a nutshell, a vftable at 0x88888ec address was returned upon executing the wwlib!DllMain+3b15 function. The\r\nvftable was dereferenced in the latter part of the code, at the 0x68BB962D address. An access violation occurred\r\nwhen the code dereferenced a function pointer through the call instruction due to the empty vftable, as shown in\r\nthe listing.\r\nAfter executing the vulnerable document a few times, we observed that the same 0x88888ec address was returned\r\nby the said function. A quick inspection into that function reveals that it basically returns a pointer to some\r\nunknown object. However, knowing what kind of object was returned would take more reverse engineering efforts\r\ndue to the fact that Microsoft does not provide symbol files for Microsoft Office binaries. Therefore, we decided\r\nto take an alternative approach. Fortunately, based on the call-stack shown in Listing 5, we were able to identify a\r\ncouple of interesting XML parser functions, such as msxml6!Reader::ParseDocument and\r\nmsxml6!Reader::ParseElementN, which seem be related in parsing XML files, as implied by its function name. As\r\na result, we were able to narrow down the scope of our analysis (thanks to the msxml6.dll symbol file provided by\r\nMicrosoft!)\r\nAfter some reverse engineering, Scanner::GetTokenValueQName within Reader::ParseElementN was the function\r\nthat stuck out. Basically, its purpose is to get the qualified name (eg: , the qualified name will be w:body), which is\r\nthe terminology used by Office Open XML. In order to shorten our analysis time, we decided to create some\r\ndebugger breakpoints that would print the qualified name whenever the function was hit.\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 9 of 17\n\nListing 7: Using debugger’s breakpoint to discover the offending XML’s segment name\r\nAs shown in the listing above, the problematic qualified name seems to be o:idma. We can quickly grep the\r\nqualified name against all the XML files found in the unzipped DOCX  in order to locate the associated XML file:\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 10 of 17\n\nAfter some experimenting with document.xml, we were able to confirm that this is the offending XML file. We\r\nmodified the font name in the following, and realized that a different address was being returned by the function:\r\nAs a result, we got the following output from the debugger:\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 11 of 17\n\nListing 8: The debugger result after manipulatingthe content of w:font\r\nThis time we got the access violation before the call instruction as it dereferenced the 0x410041 address, which\r\nindicates the contents that we modified in document.xml. Therefore, we can conclude that the underlying issue is\r\nrelated to type confusion of the invalid font object returned by the wwlib!DllMain+3b15 function as a result of the\r\nnested font qualified name within the o:OLEObject qualified name.\r\nAnalyzing CVE-2017-11826’s Exploit Shellcode\r\nAs mentioned in the previous section, the attacker could determine an arbitrary address for a call instruction by\r\nmanipulating the content of a nested font qualified name. The attacker chose the static 0x88888ec address, which\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 12 of 17\n\nis the result of the encoding of the unicode font name we saw in the initial document.xml, as explained in the\r\nprevious section.\r\nThis is where the ActiveX heap spray comes into play. If the heap spray is executed successfully, the stack pivot\r\nand hardcoded shellcode in activeX1.bin will be written to the 0x88888ec address space. The shellcode will then\r\nperform the following routine:\r\nCall kernel32!VirtualAlloc to create an executable memory page\r\nCall a series of kernel32!GetFileSize APIs, starting with the file handle value 0, incremented by 4 every\r\ntime the function is called, until the file with a size between 0xA000 and 0x200000 is found, which should\r\nmatch the file size of the RTF document exploit.\r\nAfter the file handle is found in the previous step, it will call kernel32!MapViewOfFile to map the file\r\ncontent into memory.\r\nThe shellcode then parsed the file content, looked for the marker “FE FE FE FE FE FE FE FE FE FE FE\r\nFE FF FF FF FF”, and then decoded the next 0x150 DWORDs after the marker using the XOR key\r\n0xBCAD3333\r\nThe decoded bytes are then stored in the executable memory page allocated in the early stage of the\r\nshellcode. The shellcode then passes control to the executable page – the second stage of the shellcode\r\nThe purpose of the second stage of the shellcode is to drop the final payload as\r\n%APPDATA%\\Microsoft\\Word\\STARTUP\\..wll, which is a DLL that drops (as vcpkgs.exe) and executes the\r\nactual downloader embedded in its resource section\r\nThe decoy document is then overwritten to the original exploit RTF document upon successfully executing\r\nthe final payload\r\nFigure 4: WinWord process drops and executes downloader malware\r\nWhen the downloader is executed, it connects to http[:]//45.76.36.243/articles to download files with an .html\r\nextension name, but which actually contain encrypted data.\r\nFigure 5: Malware site hosting the split and encrypted backdoor malware\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 13 of 17\n\nIt first downloads and decrypts the file 937933.html, which contains a list of downloaded URLs for the other html\r\nfiles. The other five html files are actually the backdoor file server split into five chunks of encrypted data. The\r\ndownloaded file is then saved in the %temp%//svchosts.exe. Encrypting the chunks effectively disguises them as\r\nnon-executable type files. And since network scanners are more strict and meticulous with executable types, this ia\r\nable to bypass traditional file type-based scanning in the network. And even in a very unlikely scenario that a\r\nchunk is decrypted, only a part of the executable will be scanned, which is usually not enough information for\r\ndetection.\r\nFigure 6: First chunk of the encrypted backdoor executable\r\nThe Payload - “IRAFAU” Backdoor Analysis\r\nThe backdoor, which we now call “IRAFAU” from a decrypted string found during analysis, comes as a file\r\npacked with what looks to be modified UPX. Regardless, unpacking it is simple.\r\nFigure 7: UPX tool confirming the modified UPX packer\r\nOnce unpacked, the backdoor malware’s behavior was not obvious because its strings were still encrypted and\r\nAPIs used had been dynamically imported.\r\nSo, the first thing this malware does is to initialize a structure where it stores the decrypted strings that will be\r\nused in the next function calls. This includes the command and control server string, function pointers, and\r\ndynamically imported APIs that will be used throughout its execution. This structure is passed as a parameter to\r\nsubsequent functions.\r\nSince the C2 server was already down at the time of analysis, identifying this structure was instrumental to\r\nsimulating the malware’s next operations via static analysis.\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 14 of 17\n\nFigure 8: Replicated malware structure\r\nBefore contacting the command and control server at saudiedi.toh.info, this malware collects the following\r\ninformation about the affected system, which it sends to the C2 server via HTTP POST:\r\nComputer name\r\nMAC address\r\nLocal IP address\r\nOS version\r\nOS Language ID and locale ID\r\nIt then generates the victim ID by computing the MD5 hash of {computer name}:{mac address} of the affected\r\nsystem.\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 15 of 17\n\nFigure 9: Sample network communication with the C2\r\nThe collected information is then encrypted and sent to the C2 via the HTTP POST method using the following\r\nparameters:\r\nsaudiedi.toh.info/search?q=%{hex}%{hex}%{hex}%{hex}\u0026cvid={numbers}\r\nAs mentioned, as of this writing the C2 server was already down and simulating the response from the server\r\nwould have taken a while. So instead, we opted to use the previously mentioned structure to reveal what would\r\nhave been the attacker’s options.\r\nFigure 10: Code snippet from the backdoor command function\r\nEventually, we found out that the server would have sent an encrypted data structure that includes command type\r\nand parameters. And depending on the command type, the backdoor malware would also execute any of the\r\nfollowing functions:\r\nTerminate a process\r\nCreate and remove a directory\r\nEnumerate available drives\r\nSearch for specific files\r\nDelete files\r\nMove/rename files\r\nDownload and upload a file\r\nExecute a specific file\r\nExecute remote shell\r\nConclusion\r\nBased on this campaign’s use of social engineering with a political theme, we believe that this is not just another\r\ncybercrime malware that attacks whoever is hit by it on the Internet. However, as of this point, we have no data on\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 16 of 17\n\nwhat specific institutions are being targeted.\r\nThis article also demonstrates how to use open-source tools to help with exploit analysis, as well as how a\r\nbackdoor malware with an already inaccessible command-and-control server can be analyzed using static analysis.\r\nCVE-2017-11826 is a very recent vulnerability and it’s safe to assume that this malware is just one of many\r\ncampaigns that will be capitalizing on this new attack vector.\r\nUpdated 30/11/2017 - Kudos to Dider Stevens (@DiederStevens) for correcting the shellcode size.\r\n-= FortiGuard Lion Team =-\r\nFortiGuard Lab Protections\r\nFile signatures:\r\nW32/Reconyc.FTG!tr.dldr\r\nW32/Irafau.A!tr.bdr\r\nMSWord/CVE20171186.FTG!exploit\r\nW32/Irafau.A!tr.bdr\r\nIPS signature:\r\nMS.Office.OOXML.Parsing.Type.Confusion.Memory.Corruption\r\nIOCs\r\nC2\r\nsaudiedi.toh.info\r\nhttp[:]//45.76.36.243/articles\r\nFiles\r\naed93c002574f25dabd1859f080203a2c8f332e92c80db9aa983316695d938d3 (rtf) -\r\nMSWord/CVE20171186.FTG!exploit\r\nd5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb (dll) - W32/Reconyc.FTG!tr.dldr\r\n5ae0a582ed5d60324d6d1397be3deb0c704a1d77c9ef3d5f486455f99da32e7f (downloader) –\r\nW32/Reconyc.FTG!tr.dldr\r\nc75c89e09f7f2dbf5db5174efc8710c806ef6376c6d22512b96c22a0f861735e (backdoor) – W32/Irafau.A!tr.bdr\r\nSign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard\r\nThreat Intelligence Service.\r\nSource: https://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nhttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document"
	],
	"report_names": [
		"cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document"
	],
	"threat_actors": [],
	"ts_created_at": 1775439068,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a74848612e449c95a8c0b9a63db1574368c14d3c.pdf",
		"text": "https://archive.orkl.eu/a74848612e449c95a8c0b9a63db1574368c14d3c.txt",
		"img": "https://archive.orkl.eu/a74848612e449c95a8c0b9a63db1574368c14d3c.jpg"
	}
}