During malware analysis we often see attackers using features in creative ways to deliver and obfuscate malware. We’ve recently seen an increase with samples leveraging RTF temp files as a delivery method to encapsulate and drop malware.
The attack uses the following process to drop and execute the payload on a system.
http://phishme.com/wp-content/uploads/Figure-119.png
Figure 1 – Malware Delivery
- The User opens the Office document and enables macros.
- The macro saves the active document as an RTF file.
- The macro silently opens the RTF document.
- On Open the RTF document drops the embedded object to Temp.
- The macro executes the dropped file.
Full Article
