Virus Bulletin :: VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
Common Information
Type Value
UUID b6aad8e6-e447-4069-9d5f-cf0bfaa30ad1
Fingerprint a431ab13a5d70fcd
Analysis status DONE
Considered CTI value 2
Text language
Published April 17, 2019, midnight
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
Title Virus Bulletin :: VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
Detected Hints/Tags/Attributes 168/3/186
Attributes
Details Type #Events CTI Value
Details CVE 4
cve-2018-8570
Details CVE 117
cve-2018-0802
Details CVE 375
cve-2017-11882
Details CVE 269
cve-2017-0199
Details CVE 51
cve-2014-1761
Details CVE 176
cve-2012-0158
Details CVE 58
cve-2018-0798
Details CVE 30
cve-2015-7645
Details CVE 57
cve-2016-4117
Details CVE 32
cve-2016-1019
Details CVE 63
cve-2017-8570
Details Domain 358
pastebin.com
Details Domain 3
mtanews.vzglagtime.net
Details Domain 5
enterprise.verizon.com
Details Domain 170
www.sans.org
Details Domain 184
www.fireeye.com
Details Domain 403
securelist.com
Details Domain 1
seebug.org
Details Domain 23
paper.seebug.org
Details Domain 4127
github.com
Details Domain 16
www.anquanke.com
Details Domain 8
myonlinesecurity.co.uk
Details Domain 6
dodcio.defense.gov
Details Domain 1373
twitter.com
Details Domain 224
unit42.paloaltonetworks.com
Details Domain 317
bit.ly
Details File 6
qclite.dll
Details File 5
qcconsol.exe
Details File 1122
svchost.exe
Details File 142
wmiprvse.exe
Details File 2
afer125419.tmp
Details File 3
жагсаалт.doc
Details File 3
team.doc
Details File 20
rastls.dll
Details File 4
intelgraphicscontroller.exe
Details File 2
summit_archive_1548184559.pdf
Details File 1
how_rtf_malware_evad.html
Details File 3
normanshark-maudioperation.pdf
Details File 2
reaver-mapping-connections-between-disparate-chinese-apt-groups.html
Details File 2
cyberdis-impplan.pdf
Details Github username 15
decalage2
Details md5 3
e228045ef57fb8cc1226b62ada7eee9b
Details md5 2
5cc1272272a6de91e1c43832f289c73f
Details sha256 2
1e78ebbfb5fd1ee66f44030d52f80806d184e6daa00dd7aaa1a30b53c629912d
Details sha256 3
9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e
Details sha256 2
941868f366d65c8859253c869e405c5bbb91e1ed0227090656295c54bb0be9f2
Details sha256 2
a58366b412b6d3c5aeebd716ae81b892b51bd5dbafbe26c5bac79f06912085eb
Details sha256 3
332aa26d719a20f3a26b2b00a9ca5d2e090b33f5070b057f4950d4f088201ab9
Details sha256 3
bd1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52
Details sha256 2
8f81142a9482c2a96c43c4b325f90794c2a32b61e8261da55f306a36df9ec18c
Details sha256 3
b70069e1c8e829bfd7090ba3dfbf0e256fc7dfcefc6acafb3b53abcf2caa2253
Details sha256 2
dd89d33e275e99e288e4c50bdafbb4584a9565189491af0a66f8a506eaf53859
Details sha256 3
42162c495e835cdf28670661a53d47d12255d9c791c1c5653673b25fb587ffed
Details sha256 2
c374f7f30b34d95dd99d9cf16f54192d439f830918d342558945e5809809b847
Details sha256 2
344fbc5e86e6477cdb24848ace149303e22b41f7b01b2eca923109868c1f458f
Details sha256 2
46714a1fd1a5ce598f761a885857dee8d90b6e7d6f4a303ecaec246a77b58fff
Details sha256 2
b45087ad4f7d84758046e9d6eb174530fee98b069105a78f124cbde1ecfb0415
Details sha256 2
44e564ab86be5be2ce5f31c9072cd05adb91663be4904759cbcafa30c5b87660
Details sha256 2
ab35b2b22718624fcaf1a290b3f138c009469b7449d1a280ec67767ea55b44ae
Details sha256 2
152f95a5bdf549c5ca789d0dd99d635ee69cca6fe464ced5b39d0316707a4914
Details sha256 2
f2e28b48ee338fddd97272b191a55641c7835ad687d7b65c8db1c5f747811c57
Details sha256 3
130daacff74d57bb2319fc5cf815e783c6505883f69e4adcd4c2b1cac3e598ce
Details sha256 2
eb772b325bdeaaa551a4f50399fe6059bc856e41ba23dd14fbc956605a9c838e
Details sha256 2
c6a01f392e4c317e6c9b6b3ce860f6368fad7687336ce995246d01fb52b83ca4
Details sha256 2
bf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a
Details sha256 2
afcbe545dc27d757fb1231019248fdd6b3ec2237e09007656d0ccd4de094f2ef
Details sha256 2
81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6
Details sha256 2
d732a7741182741b6c14fdce201b839c8e380be242de034ce764c61778be8fc1
Details sha256 2
5e7663f662cedcc2c520b88928824a4c7caf5a6833f77cdb0051328d74ace1c8
Details sha256 2
41f0757ca4367f22b0aece325208799135c96ebe1dcafcd752d3f3c8dd4a5ccf
Details sha256 2
a9b3b44f048cc145bd4703ead369c9104746966f94b679da51d97bf7b70a26fb
Details sha256 2
aa4874e3d49e9765797b96aff5262b802352e575deee17308f7539f8916fac33
Details sha256 2
1c6cb02ae9dceb3a647260f409dd837fa5c66794804623c9cf97395cf406d4df
Details sha256 2
9ac09ea38c9cf11ca13a2c3dbdcfbe0fe4a15cb609be451f7159ecebdd20d311
Details sha256 2
3df19abbf961a6d795362f5408d65aa5a31e34620aa3518a010d4d6d9e79c60e
Details sha256 2
5e3cd28d9ab02de8d816b7a0719e715330b4ad28cb2d2778a5f54a3396620991
Details sha256 2
16cb245d9a78c81c25605695a2cf8dbdb36d85bcb61726c56ee358254253df2e
Details sha256 2
9be6d671dd901326fc834296fbd2ed015d64e6037e83d8d1d08a9dcdc107cb33
Details sha256 2
5898e729b7305c4e5db54847396b15d06b74153213a242d295cf64c951a021ca
Details sha256 2
803c25767414c31259e15f058d62b6102dfe09d3cfacece57f527d7fb2a50632
Details sha256 2
c63ccc5c08c3863d7eb330b69f96c1bcf1e031201721754132a4c4d0baff36f8
Details sha256 2
c92a26c42c5fe40bd343ee94f5022e05647876daa9b9d76a4eeb8a89b7f7103d
Details sha256 2
c67625e2b5e2f01b74e854c0c1fdf0b3b4733885475fe35b80a5f4bca13eccc7
Details sha256 2
138d62f8ee7e4902ad23fe81e72a1f3b7ac860d3c1fd5889ed8b8236b51ba64b
Details sha256 3
c0b8d15cd0f3f3c5a40ba2e9780f0dd1db526233b40a449826b6a7c92d31f8d9
Details sha256 4
f5365387320ae6e6907fd2700f340ba8712cb08f7e52b2ec4dccfe99b3d648ef
Details sha256 5
9d239ddd4c925d14e00b5a95827e9191bfda7d59858f141f6f5dcc52329838f0
Details sha256 4
a95bbc1f067783c1107566ed7897549f6504d5367b8282efe6f06dc31414c314
Details sha256 4
4e1a2f731688f9aab80b1f55d9101bb1cddec08214d4379621c434899a01efbf
Details sha256 5
597c0c6f397eefb06155abdf5aa9a7476c977c44ef8bd9575b01359e96273486
Details sha256 3
71c94bb0944eb59cb79726b20177fb2cd84bf9b4d33b0efbe9aed58bb2b43e9c
Details sha256 3
722e5d3dcc8945f69135dc381a15b5cad9723cd11f7ea20991a3ab867d9428c7
Details sha256 4
c580d77722d85238ed76689a17b0205b4d980c010bef9616b8611ffba21b142e
Details sha256 2
87114b56ef4de4500fd0c64af913915f159b95e3cbdb7932772230aae8bfed40
Details sha256 2
60ac67f0511fc984990e826d44e8a5eddd1ab7f21c7d847ee3a821875260cea6
Details sha256 2
61488eaafad84e8b86c6a2e87b022e133ccc77701f817c589ef4b01a89dd74ee
Details sha256 2
f3c120cde34e4e2a45d924ada9e53d3ebc7d73132e359eca8d48f813b6e021a1
Details sha256 2
ec46e1feed5199a332c76021a8bb446dca37b8e736bcd1e5505f35fb70526a04
Details sha256 2
5d4de75f7900b6e765d8878234e06d8e07490d5decc6ec5d41c704af38a0abc5
Details sha256 3
4fce3d38e0a308088cd75c2ef1bb5aa312e83447d63a82f62839d3609a283b02
Details sha256 3
4123a19cda491f4d31a855e932b8b7afdcf3faf5b448f892da624c768205a289
Details sha256 2
a3e81e5bbf5beeb9568f0c801b2407e33cf9bcc0c12842d6bd6bc62280add81d
Details sha256 2
70195e390a5cb92c2e32ded9ef80a935ad7bdda6d6d8e21cc4cf74e98998de32
Details sha256 2
532b68e6bbcea3980f5fc9a2d939b062b1e3f5f5175267adc158d3a877204e1e
Details sha256 2
b9e1145546dba4fe2428fdb43566a7eb5ac472bd8b5e5f30998477693a08ede1
Details sha256 2
e8e86359b06cefdc5c1115dacea21240aa090450e83744b495e784d8bff49a09
Details sha256 4
5238f8d8c3d16b52d39aa722daff663a5e6307c4b46e360969d84bf409a2690f
Details sha256 2
97c0ba7e6cb7eb507bb6e9d819786240292f2c3c72e4d7732dd007a9bbf4af5e
Details sha256 2
69f44ca082ed90c97d9c4ebaae589d7e41c69b02e582cc69886ebfd9cfb93951
Details sha256 2
4f6b8f51fdaf708bb4fa0dbbc72da50d24f694bce2996eff3df7eeb3c1592e62
Details sha256 2
0598a55dad563ffd3d7a0bcdf8699086527104cf3bad1a0d2192fe805bfef84d
Details sha256 2
fb2bfa7985be5b9855c7b114d3c201540effc6b7cb249256717d6c56cc069b09
Details sha256 2
484f52e80141809f7482f027f5eadb5305ee1966f55f64656765b7408e1c60dc
Details sha256 2
52730e7f52afbc6a99d3a83b12b6a8393d1e979e189cffbcf4fba2ff8a7ca99f
Details sha256 2
3504d4583c59ed0fe6c2d916619714f187638bde835908e02d78cf05b1a9be53
Details sha256 2
e757993b2cefe2a7dd7ea3e9222cf40e968af1c82370ee5775f768fa29d5efe5
Details sha256 2
3b593d85b18c9457f8c52cf0f2c5f1f549518f9422d0a5bb10fb1edf4c9ea303
Details sha256 3
3e04eb55095ad6a45905564d91f2ab6500e07afcdf9d6c710d6166d4eef28185
Details sha256 3
7079d8c92cc668f903f3a60ec04dbb2508f23840ef3c57efffb9f906d3bc05ff
Details sha256 3
892859ea9d86fc441b24222148db52eb33cd106c2ac68eafbe83ab0064215488
Details sha256 3
22062b6bcda194e3734285fed6b2de341c694c52a8f60c9f389f880cefab7644
Details sha256 3
9001056791a03ec998f26805d462bc2ca336b2c3aeac2e210f73ff841dfe3eec
Details sha256 2
8ec1e8bc139cbd84858c3997f0635fb5640dbd85f73e8b537e3ae7e14d4870ce
Details sha256 2
47880521119cee06588476fdcc7c47a91903366671448650830b7dd310c3c3ea
Details sha256 2
129d74a8f31622e605cea1a03cdac723a5adb002f877c304ef2ceb5f6cdd2654
Details sha256 2
c81d67472715b6d3bf601147ff8e81f670a429ea0fb8ac3ba82a19c02ad38d0b
Details sha256 2
c8b5d8f4304725e19edd9ff9e7a8d3325ed06b91adecad691fea23f429072cbd
Details sha256 2
2f193d55f38d1e4149aa2424f79f184e3059469be4ee386276fb946bdc83bc30
Details sha256 2
2cfb86699b675919d17beeefa5d993f195358bce6119cc9cebea62d149739421
Details sha256 2
6e8cd76dba16d159c4e68ed15a60af7f86afb0964ed9d2ebe43c6d6af7749397
Details sha256 2
299cc5c74b5c44aa4c270da19673f20670b00399038d7ad7dac412b91137a552
Details sha256 2
30298f89888e5104145ecb1c27053640812a1545f3b7c558ec76fe302d2afb04
Details sha256 2
2c8ee28cc3884d37019f7b29b37634468fcebaff4a6094564b1443de0c32cbd2
Details sha256 2
48257a0d98cc8d8c31b449f7e4737507031b06a4165b305b498a8b3f136dcd6b
Details sha256 2
c9d2728ab7d43379b8b50b3bb05f10bb39f9d073d0ad0e2d533dfab77957d13c
Details sha256 2
5cd4f11155c34ba32382f297776891d6f2d9f747ffbfdba7594e5c4f1fcd0f59
Details sha256 2
d3428b542596490f320b86e5473a80249082580713116aaa8299634524507102
Details sha256 2
511522dd26bafc2aaf46a861e479455695f85fbde0873b23baaebcadec07bd7e
Details sha256 2
5fae7d03b8113987f3c776f0988af9522688cc9ad53c5072c7cb7ba445e78aef
Details sha256 2
b40fefbe1835c440da19145d825d8fbdea179d362009364af09e89b1819a6c52
Details sha256 2
6be40b52667cc4876a3eabf4b671235b053e0e44bf98f80fa5394c3b2030f4eb
Details sha256 2
0f515163f98845b2b2f85f8a56563a2fe29834643cb067099b209387ff14cb36
Details sha256 2
8a40970e308c4e00a03a44f7cfb8decf2b788ab054bdc695dbe7225742e15944
Details sha256 2
4d62e94a8adc8ab177d02ba20af3f50a0bb4a1db995630c5bbb7527c9e46d4be
Details sha256 2
42afaac637e3f9e805464e2bba017ebbf3d0fd87bbea9482088ed2710683942c
Details sha256 2
8dda3787bcee130ff447283fa05fdad2f68a73f6d5c321fbf723ced1660af0e5
Details sha256 2
d1a5280696f1581b0b82a067cff1b5426db0429428ed2553903cc0de3021a764
Details sha256 2
9341049cd265f8b03bc444de891d4e397cb6daec462e62e50306724fbe0b423f
Details sha256 2
9b7f09f16cd36ff6b50407e1823d7cf030445ad1e055cf9478ef964419c90580
Details sha256 2
9fa727fbb18f84d7572dc4017bc3d1410af1c469591317415f53e99c06d68b30
Details sha256 2
898117f2c43d6cfa52af70df919a366a47f31a7c902ee1bd9e2abfc52cf0b9e5
Details sha256 2
22c09d51ca46efe5bb00c88841fba6ce23247e7982501fcf5f95e0a64120bef6
Details sha256 2
07c59af6d98a4606a3b7a82c73a6714a6ac597192877a32e908245921d96d88c
Details sha256 2
d70e5230a21921169ad729c557a9759879774445648df99eee18aa54b181b2fa
Details sha256 2
90e3f6e5996b378801c0018d0aaaffd46e9e7a1fa058ad4605edf6a43078d23e
Details sha256 2
6347b1a237217fc9d736094eb3d32117f8b397ec808614cddc4cda8c190b8548
Details sha256 2
8414918e868dcacf59abffdfee10f487488381170f3c044338c5cec62693691c
Details sha256 2
c8ec45b617e378f6fbe29027523d53f20138cc1122f899a7f61320a6acf69226
Details sha256 2
126853c0b4fe9d83c06fd64cd0306b1d038bad12b2f162777e63dd0850afd7ea
Details sha256 2
b6f6600d8c655610a2bf3affcaf999b1030d0559ee457b52b2b184e30e95b47e
Details sha256 2
d74e7786c5c733e88eaccfbc265e155538a504f530e3ce2639c138277418c716
Details sha256 2
c16f7e2dba5a2c68c0ac0efd8579e9e1260857a1de2c334466c57287e64b67dc
Details sha256 2
4f57853be12840f120bf8dd4a22f16345536b2e38a4dfaa3b3ba1e3792a6e040
Details sha256 2
37f464da00d5ea3a3644f3856c13427d2c50c64c4af25b4bc9b3ae3c5837dfb9
Details sha256 2
bc785e8fec0e308cc587e557f3a7172b7af58bdeaa6a49c298fb2c5375e8ab6a
Details sha256 2
821eaae98f64db31a6e0dc4b3e4576cc33e8d94b1e122b6397661720704953e1
Details IPv4 4
217.69.8.255
Details Mandiant Temporary Group Assumption 44
TEMP.PERISCOPE
Details Mandiant Temporary Group Assumption 8
TEMP.TRIDENT
Details Mandiant Temporary Group Assumption 35
TEMP.HEX
Details Threat Actor Identifier - APT 143
APT40
Details Url 1
https://enterprise.verizon.com/resources/reports/dbir/.
Details Url 1
https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1548184559.pdf
Details Url 1
https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html
Details Url 1
https://securelist.com/disappearing-bytes/84017/.
Details Url 2
https://paper.seebug.org/papers/apt/apt_cybercriminal_campagin/2012/normanshark-maudioperation.pdf
Details Url 1
https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html
Details Url 2
https://github.com/decalage2/oletools/issues/307
Details Url 1
https://www.anquanke.com/post/id/168455.
Details Url 1
https://myonlinesecurity.co.uk/scan-from-a-samsung-mfp-malspam-delivers-locky-osiris/.
Details Url 2
https://dodcio.defense.gov/portals/0/documents/cyber/cyberdis-impplan.pdf
Details Url 1
https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain.
Details Url 1
https://twitter.com/gossithedog/statuses/1118478326908248064.
Details Url 1
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/.
Details Url 1
https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/.
Details Yara rule 1
rule Royal_Road_RTF_weaponizer {
	meta:
		author = "Anomali"
		tlp = "GREEN"
		version = "2.0"
		date = "2018-11-10"
		hash = "9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e"
		description = "Detects malicious Royal Road RTF from object dimension"
	strings:
		$S1 = "objw2180\\objh300"
		$RTF = "{\\rt"
	condition:
		$RTF at 0 and $S1
}