Check Point researchers obtained a sample of a malicious Word document that was used in an attack attempt against one of our customers. The sample itself is a Rich Text Format (RTF) file with a .DOC extension. Recently, there has been a resurgence of the trend to use malicious macro code inside office documents. However, this wasn’t the case here.
We were dealing with a sample created by the MWI (Microsoft Word Intruder) Exploit Kit.
MWI is a builder of malicious DOC/RTF files and is accompanied by MWISTAT, a statistics panel which tracks the infections.
In this post I present a deep analysis of the sample, its structure, the different exploit used, mitigations bypass techniques and behaviour.