In this year 2017, Microsoft windows products has been widely targeted by cyber criminals. In the wild, Microsoft windows zero days has been exploited and utilized as a launchpad for several attacks. Recently a zero-day vulnerability affecting Microsoft Word was discovered,that can be leveraged to execute malicious codes. This is the third zero-day vulnerability reported in the year 2017 in Microsoft Windows products. The first two zero-days was reported in SMB (Server Message Block) server and Microsoft Browsers. The Microsoft browser vulnerability,allows remote attacker to execute arbitrary code and vulnerability affecting SMB service, allows attacker to carry out denial-of-service attacks.

The Microsoft Office zero-day vulnerability has been widely exploited by DRIDEX, LATENTBOT, FINSPY campaigns to deliver malwares. To understand how this Microsoft Office vulnerability works, we took the following malicious RTF (Rich Text Format) files for analysis.

mapleThe malicious files leverages the vulnerability and executes arbitrary code at four stages, as explained below.

The Four Stages of the attack

1. Attacker sends a specially crafted malicious RTF file with an embedded OLE2(Object Linking and Embedding) link object. In short, embedding a document in another document.

2. When the targeted user opens the RTF file, it initiates a HTTP request to anattacker controlled remote server and downloads a malicious ‘.hta’ (HTML Application) file.

3. Once the malicious ‘.hta’ file is downloaded, and the script with it is executed.

4. The malicious ‘.hta’ file then downloads another binary file ‘.exe’ (malware) and executes it.

maple                                                              Figure 1: Four Stages of Attack

The sample RTF files were scanned by VirusTotal to confirm it is malicious.


                                                          Figure 2: Virus Total Lookup of first RTF file



                                                        Figure 3: Virus Total Lookup of second RTF file

Stage 1 – Initial infection

First, we identified the document type as Rich Text Format, that is used by Microsoft Office products such as Word. 

maple                                                         Figure 4: Rich Text Format

While inspecting the malicious document through static approach it contains magic number ‘0xD0CF11E’ which implies that the malicious document contains Composite Document File (CDF) document format. CDF is generally used as a container for various file types. The below figure shows the list of embedded OLE objects in the malicious document. We extracted the OLE object for further analysis.

maple                                                           Figure 5:  Extracted OLE object                                   

Then on further inspection, we found that the type of the extracted OLE object is a CDF structure.

Analyzing the extracted CDF file, there was a URL which is hardcoded in OLE2Link object which attackers used as remote servers to download stage file i.e. the malicious HTA file.

maple            Figure 6: URL used by the malicious document to download stage 2 file ‘.hta’ as seen in Sample one   

maple             Figure 7:URL used by the malicious document to download stage 2 file ‘.hta’ as seen in Sample two                           

The extracted URLs are given in the below table.

maple                                                                            Figure 8: URL connects

The image below shows when the RTF file was opened, a dialog box appeared with a warning. The warning window asks a user permission action and mention that document tries to open a link. There lies the vulnerability that, even if you click the No button, still the malicious HTTP link is opened.

mapleAfter the above-mentioned screen, the malicious document initiates a HTTP request to attacker controlled servers and downloads a malicious ‘.hta’ file.

maple                                            Figure 9: HTTP request initiated by the first malicious document

maple                                            Figure 10: HTTP request initiated by the second malicious document

Stage 2 – Downloading malicious ‘.hta’ file

The attacker controlled server was down at the time of our analysis. We simulated the environment to satisfy the file download process. After setting up a fake and simulated internal download server, the document made a HTTP request and downloads the malicious ‘.hta’ file. In a real time attack, the attackers placed malicious VBScript or JScript within the ‘.hta’ file shall be executed.

For simulation purpose, we recreated all the malicious documents that were involved in this attack. First, we created a legitimate RTF document using Microsoft Word 2016 with a random data and named it as ‘first_document.rtf’.

maple                                              Figure 11: Creation of legitimate RTF file

Once the RTF file is created, the next step is to create a malicious ‘.hta’ file. A custom VBScript is embedded into this ‘.hta’ file. The scope of the VBScript is to open the default calculator application. 


                                            Figure 12: VB Script inside the specially crafted ‘.hta’ file

The ‘first_document.rtf’ document and the malicious ‘.hta’ file are placed in a webserver.The second malicious document ‘second_document.rtf’ is created and embedded with a OLE2link to ‘first_document.rtf’.

At IP address, runs our fake web server with RTF document and malicious ‘.HTA’ files hosted. 

maple                                                                         Figure 13: Creates OLE2link

Overall, once the ‘first_document.rtf’ file is opened, a second ‘second_document.rtf’ is opened, that in turn opens the malicious ‘.hta’ file and executes the VBScript resides within the malicious ‘.hta’ file.

This vulnerability can be exploited by the attackers without a user interaction. Once we update the ‘second_document.rtf’ file by inserting the ‘objupdate’ control, the object will get executed voluntarily on opening the document. 

 This is how the code execution is achieved.

maple                                                      Figure 14:Before inserting ‘objupdate’ control 

maple                                                  Figure 15: After inserting ‘objupdate’ control

Stage 3 and 4–Executing VBScript and downloading malicious executable file

Once the ‘second_document.rtf’ is opened, from the simulated internal download server will send a ‘.hta’ file. And this will be interpreted by the Winword client will run ‘mshta.exe’, that in turn opens the ‘calc.exe’.

maple                                                        Figure 16: After running the exploit.

maple                                                        Figure 17: ‘mshta.exe’ process after running exploit

From the above pictures, we could see that the calculator program is executed with the same privilege of the user running the Microsoft Word application. The impact of this vulnerability is very critical since without any user interaction it can download and execute malicious programs.


This vulnerability has been identified by CVE-2017-0199 and addressed in the Microsoft security advisory for April 2017.

This vulnerability affects the following products:

• Microsoft Office 2007 Service Pack 3.

• Microsoft Office 2010 Service Pack 2 (32-bit editions).

• Microsoft Office 2010 Service Pack 2 (64-bit editions).

• Microsoft Office 2013 Service Pack 1 (32-bit editions).

• Microsoft Office 2013 Service Pack 1 (64-bit editions).

• Microsoft Office 2016 (32-bit editions).

• Microsoft Office 2016 (64-bit editions).

Overall, Microsoft Office zero-day and other vulnerabilities illustrate just how important it is to ensure that software’s are up to date. The recommendation for the users is to install patches as soon as they are released which will help to prevent any malicious attacks.