Malicious RTF — malware analysis report

Static analysis result for SHA-256 0763948feacc0f9c…

MALICIOUS

RTF

821.3 KB Created: 2018-03-31 16:32:00 First seen: 2018-04-23
MD5: cdb0fb687c9b75340d6d4e93f4cb7680 SHA-1: 5677fcb140d55e2d690ebdce4d5433fec11441a4 SHA-256: 0763948feacc0f9c1245ed16e8cdb033edb4fb7dacf0f17437629491b097e3b4
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, indicating an attempt to activate these objects. The critical heuristic firing for CVE-2017-8759 confirms exploitation of this vulnerability, which is commonly used to download and execute arbitrary code. The embedded URL is suspicious and likely part of the exploit chain.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cb9.bin rtf-objdata-decoded RTF \objdata at offset 0x2CB9 27707 bytes
SHA-256: fdcf2e90229a591dc28bcc6f252601eae0fe259cfbb1c60e08b3e7c24d910fba
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off000164ea.bin rtf-objdata-decoded RTF \objdata at offset 0x164EA 27707 bytes
SHA-256: afdf68a71fa187684714542b758b61120cf7c7ee7df654f57cfdab568865f9a9
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00029d1b.bin rtf-objdata-decoded RTF \objdata at offset 0x29D1B 27707 bytes
SHA-256: f909f7c69406cca7aba79d3e106feae382eb839fbbc25e593841dc34ea23ee28
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off0003d54c.bin rtf-objdata-decoded RTF \objdata at offset 0x3D54C 27707 bytes
SHA-256: d5d3d92d5a839051b8ee2c0e3e0ff13a565453866468639230a77894755fff81
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00050d7d.bin rtf-objdata-decoded RTF \objdata at offset 0x50D7D 27707 bytes
SHA-256: 0635a67b465368843b79af673e196e24f73adc1a5d7f30ad807c3a721dc65dfa
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off000645f8.bin rtf-objdata-decoded RTF \objdata at offset 0x645F8 27707 bytes
SHA-256: cbf5e4fc46fb51bf95dad3172ebec5e2417a8ee6ed7486200153c08b96eba4ce
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00077e29.bin rtf-objdata-decoded RTF \objdata at offset 0x77E29 27707 bytes
SHA-256: 840ee1724ee9f4e9b5b27b687836ec29a5de06cdcf672a83070af47bab36dec5
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off0008b65a.bin rtf-objdata-decoded RTF \objdata at offset 0x8B65A 27707 bytes
SHA-256: e41a2103db26ee92e4761213730738e5343defcfff54e816431deb3d6bf23397
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0009ee8b.bin rtf-objdata-decoded RTF \objdata at offset 0x9EE8B 27707 bytes
SHA-256: 51b0ca0cc20cf806502843656e62196b71ec35cb95adc9ec43d4a1e4ee6409ba
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000b26bc.bin rtf-objdata-decoded RTF \objdata at offset 0xB26BC 27707 bytes
SHA-256: 92f449c4219dcf1649414c515a13b1579c34bc23510f6f10be38ea6cb726faea
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely