VirusTotal Analysis of delivered document confirms presence of RTF exploit.
After opening the document in a vulnerable Microsoft Word application, users are warned that the document is attempting to download externally linked files.
Upon clicking "Yes", and a direct to IP connection to 173.44.42[.]164 is established and the following network events take place.
As shown above, "3Pxi69djmwiIKmc.hta" (VirusTotal and Hybrid-Analysis) was the first download. This file creates two XMLHTTP objects using VBScript which helps to connect and download VBS file which acts as Trojan Downloader. It also creates Shell object to execute HTA file as Internet Explorer Application.
In the same session, "nJwsm39La.html” then deletes both the VBS and executable file.
Once the download is complete, the binary is executed and post-infection traffic started.
Current RSA NetWitness detection populates following meta for the download sessions:
You can also check FirstWatch recent threat advisory on the recent uptick in malspam attempting to exploit CVE-2017-0199, Malspam and CVE-2017-0199