Analysis of Malicious Document Files Spammed by Cutwail

In our Global Security Report, we highlighted a zero day vulnerability in the Windows Common Controls affecting Microsoft Office (CVE-2012-0158). This was reportedlybeing used for targetedattacked against NGOs and human rights activist.

Over the past week, the Cutwail botnet has been sending out spam containingmalicious documents of the aforementioned vulnerability, CVE-2012-0158. The use of a loadedRTF attachment is a departure fromnormal for Cutwail, usually it distributes executable attachments or links toexploit kits.

The spam claims to be from Citibank or Bank of America. The spam may use the"Merchant Statement" as a subject line and has an accompanying .DOC file attached.

Spam Campaign
Spam Campaign Samples
The .DOC attachment is actually an RTF file format which wascrafted to exploit an error in the ActiveX controls found in MSCOMCTL.OCX (WindowsCommon Controls). The vulnerability is also known as "MSCOMCTL.OCX RCE Vulnerability".

RTF File Header
The Malicious RTF File Header

This exploit affects older versions of Microsoft Office suchas Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1 etc. This issue waspatched a year ago and was included in the Microsoft Security Bulletin MS12-027.

The Shellcode and thePayload

To verify if the RTF file was indeed malicious, we initiallyscanned the file using a tool from OfficeMalScanner suite,RTFScan.exe. This provided an overview of the malicious RTF file. The tool alsodumped the embedded suspicious OLE document found in the RTF file. RTFScanner found a seemingly malicious object inside the file; and VirusTotal's high detectionrate gave us high confidence that we were indeed dealing with a malicious RTF document.

RTF Scanner Result
RTFScan Result

The suspicious embedded OLE object that RTFScan detected.

One of the objectives of this analysis is to find theshellcode that will be executed when the exploit is triggered. Luckily, theshellcode string can be easily spotted within the malicious RTF document,characterized by the string "E9" (an opcode for relative JMP) and a series of90s (NOP instructions). So by dumping the shellcode strings and converting tobinary, we can disassemble and analyze it easily.

The disassembled shellcode

The dissassembled shellcode shows the initial scanning of the Process EnvironmentBlock (PEB) to resolve the Kernel32.dll address space and after that is the manual retrieval of Imported API (Application Program Interface) through hashing. This common shellcode technique is used to resolve the addresses of API functions it needs to execute when running in a Windows system.

Here's the list of hashes and its corresponding APIs that the shellcode use:

0xBBAFDF85 GetProcAddress
0xAC0A138E GetFileSize
0x9424D45A GlobalAlloc
0xDBACBE43 SetFilePointer
0x130F36B2 ReadFile
0x94E43293 CreateFileA
0x837DE239 GetTempPathA
0x741F8DC4 WriteFile
0xFF0D6657 CloseHandle
0x01A22F51 WinExec
0xB4FFAFED GetModuleFileNameA
0x4FD18963 ExitProcess

Given that list of APIs, it gives an idea of what the shellcode is going to do.

With further investigation, we saw the shellcode decrypt a Trojan executable file embedded in the malicious RTF document using a simple XOR operation. The file will then be dropped and installed in the user%TEMP% directory with the filename PAW.EXE.


The Trojan is encrypted and embedded in RTF document XORedusing the key 0x3F.

The payload is embedded and XOR encrypted in the RTF document

Additionally, the code also drops another Word document filein the Temp directory with the filename VC.DOC. The dropped decoy document fileis non-malicious and opened after the shellcode has installed the Trojan.

The installed Trojan is no other than the ZeusTrojan. An analysis of this well-known Trojan can be further read in ourprevious blog.


To sum up, once an unsuspecting victim is lured to open themalicious RTF document, the exploit will trigger the vulnerability in MicrosoftWord, causing it to run the embedded shell code. The shell code eventuallydrops and installs its payload.

It is worth noting though, that even after a year the patchfor this Microsoft Office vulnerability was released, cyber-criminals continueto use this exploit. It is always a good advice to keep all your software up to date and avoid openingunsolicited email.

Trustwave MailMarshal and Mailmax customer are protected from this threat.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.