Apr2 |
8:42 am (UTC-7) | by
Jhoevine Capicio (Threats Analyst) |
If you’re updated with the news in the security industry, then you know that there have been a lot of vulnerabilities in MS Office Applications that are being exploited. Because of this, it has been a common advice to use safer document formats like RTF. What didn’t cross my mind is that RTF files can still be embedded with an object, and if this can be done there’s no reason why I malware can’t be embedded to an RTF file as well. With good social engineering, which for most cases is the downfall of good security, a malware infection can start from an RTF file. That may be the case with this RTF file detected by trend as TROJ_DLOADER.MC…
Upon opening of the file, it fools users into thinking that an error has just occurred and that they need to double click the embedded file to load the original document. 
Of course, by doing this the user is actually loading the embedded object, which in case of an embedded exe file, the action would cause it to execute. Before MS Word loads the file though, a warning message is given to the user. 
Normally the warning would already create a sense of alertness for users, but since the user already believe that this action would load the original document, he’d probably just click yes and be done with it, unknowingly beginning the malware infection for his system. The embedded file (also detected as TROJ_DLOADER.MC) in this case downloads a file which has been given a detection of TSPY_AGENT.PPR. Given this, I would still recommend the use of RTF files, why?
- 1. It is still widely recognized and supported by a lot of Word Processors.
- 2. It is still a lot safer than other formats.
- Right click the embedded object and check what it is using Object Packager.
- This will show the embedded object inside the rtf file. The .EXE extension should at least raise a red flag here. Again, with good social engineering the malware author named the file MICROS~1.EXE, but please don’t be fooled.
Share this article |
 |
        |
