This is a writeup for the emprisa maldoc challenge on cyberdefenders, the challenge can be found here.
For this writeup I will be using the remnux Vm machine to analyze the file.
Let’s get right into it.
Q1:
The question is asking about CVE of the vulnerability. First things first before we start analyzing the malware, we can extract some hashes for instance md5sum and upload it to virustotal to see if we find anything.
md5sum c39-EmprisaMaldoc.rtfUploading the hash to virustotal, right away we see it is a malicious file and also the CVE.
Pretty easy, right?
PS: You can read more about the CVE on this link
Q2
I did some google searches and I got this link for microsoft updating on the patches on different office products.
Since the question was asking about Microsoft Office 2007. I clicked the link and I got the patch number.
Q3
Taking a look at the hint, it said something to do with rtf data dump.
I found this link that has some useful tools for maldoc analysis. There was a tool called rtfdump.py which is used to analyze rtf files.
That tool comes pre-installed in REMnux. You can manually download the tool here.
I did the following command to commands to run the tool
rtfdump.py -h
I decided to use the -d option to dump.
Analyzing the output I saw the magic.
Q3
Here I did some research on how to analyze an rtf file. This link was super helpful.
First I needed to check for presence of OLE files.
rtfdump.py -f O c39-EmprisaMaldoc.rtf 
I found it in ‘Equation.3\x00’. We can go ahead to analyze it further.
Looking at the help command in rtfdump.py, I found some helpful commands to use.
Since I already found the presence of files in ‘Equation.3\x00’ and looking for more information I found out that the data output is printed in hex format, so with that information, I used this command.
rtfdump.py c39-EmprisaMaldoc.rtf -s 7 -H -i - s is for selecting the number found with OLE files
- -H is for hexdecode
- -i is for printing extra info for selected item.
Afterwards, I also tried to dump the hex output only but I did not get anything useful.
Here I took some time switching from one VM to the other from remnux to flare and so forth.
Side Note: It was at this moment I knew that one could install procmon in REmnux, LOL!.
You can manually install procmon for linux here
Anyway, I set up procmon and my I fired up my fakenet to see if I would be able to get any connections.
Second Part Coming soon.
