RTF malware analysis — malicious · 0537f7318edf0524

MALICIOUS

RTF

31.3 KB Created: 2016-11-27 22:42:00 First seen: 2017-10-28

MD5: 893c08bb12c66f00f06d1eeafc633cd0 SHA-1: 4e7ece3c8be78c41f78ac61f39528dc822e72d0e SHA-256: 0537f7318edf0524fe7117938e79d8b1bef0b04e4ce775f19d4d9da3d4bfe4d2

122 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an OLE object that leverages CVE-2017-0199 to automatically link to and download a remote document from http://rottastics36w.net/template.doc. This technique is commonly used to deliver secondary payloads, indicating a malicious intent to execute further stages of an attack.

Heuristics 4

CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199

RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://rottastics36w.net/template.doc In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00003180.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3180	2724 bytes
SHA-256: `a6cc612766fee984fa419069b663e5435cc280b0a5b740dd9290b227de3451a7`

Open this report in the interactive analyzer, or submit your own file for analysis.