The e-mail OriginalMessage.txt.msg contains an attachment with the malicious file Prezent_UA_2k_berezen_PRESS.ppsx, which is a 16-slide presentation on the socio-political situation in Ukraine.
How does this malicious work?
The malicious file is interesting because it does not contain any embedded malicious macros. Instead, the intruders have used the CVE-2017-0199 vulnerability, which allows generating a malicious PPSX-file and delivering payload to the victim without any complex configuration. The file slide1.xml.rels is used when exploiting. Files with a .rels extension are relationship files. These files contain information on how parts of various Microsoft Office documents fit together. This information is also called “relationship parts”. In case with this malicious presentation the hxxp://socis.cf/?file=wj5yuxmp.hmf address was written into the slide1.xml.rels file:
If you click on hxxp://socis.cf/?file=wj5yuxmp.hmf, you will see a script that creates a malicious file in the %temp% directory and runs it. As at the time of analysis, this address is no longer available.
Indicators of Compromise
URLs:
hxxp://socis.cf/?file=wj5yuxmp.hmf
IP addresses:
185.176.43.94(Bulgaria)
Files:
Prezent_UA_2k_berezen_PRESS.ppsx
MD5: CAFB6B5795C26376289832CFFC3AEE94
Comments