RTF malware analysis — malicious · 058c9812192c5bb8

MALICIOUS

RTF

42.7 KB Created: 2017-11-30 20:33:00 First seen: 2017-12-08

MD5: ec1f66a627b57b53d28e872de2c9800b SHA-1: 16e2f0c5fa222a9057c58522f8bdab3aa4459e87 SHA-256: 058c9812192c5bb84120e633c33729d6d3f7fa31958ef7b841d0b1de77f0192d

122 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an RTF document that exploits CVE-2017-0199, a known vulnerability in Microsoft Office, to download and execute a malicious HTA file from the URL http://kenion.com.mx/doro/htaafrica.hta. The embedded OLE object data and the weaponized URL firing strongly indicate this exploit. The document body appears to be a benign invoice, suggesting the exploit is the primary malicious function.

Heuristics 4

CVE-2017-0199 (OLE2Link / weaponized URL) critical CVE exact CVE_2017_0199_WEAPONIZED_URL

RTF contains a URL Moniker OLE link to a script/HTA/template-style remote loader, matching the tighter static CVE-2017-0199 shape.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://kenion.com.mx/doro/htaafrica.hta In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002ca7.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2CA7	3640 bytes
SHA-256: `6884cc4da5bf2ccb25027757272ff877a95247c209fc305fa43f8d33ec0eedec`

Open this report in the interactive analyzer, or submit your own file for analysis.