Malicious RTF — malware analysis report

Static analysis result for SHA-256 085a480e0df97b40…

MALICIOUS

RTF

1.33 MB First seen: 2019-01-20
MD5: 61d541a17f59661d55bdf24b77bfb83e SHA-1: 7b84c302294a71ea4e0f2581cd70d551094d2349 SHA-256: 085a480e0df97b40c73b3f4a8df7792c26c4a11fddff2f4cd3afb961078459af
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple OLE objects and exhibits characteristics of CVE-2017-8570, which is known to drop and execute SCT scripts. The presence of composite monikers and excessive hex data within the OLE objects strongly suggests the embedding of malicious code intended for execution. While no specific script content was directly extracted, the exploit pattern points towards a client-side execution attack.

Heuristics 7

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1155KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body
    • http://schemas.microsoft.com/office/2006/metadata/contentTypeIn RTF body
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesIn RTF body
    • http://schemas.microsoft.com/office/2006/metadata/propertiesIn RTF body
    • http://www.w3.org/2001/XMLSchemaIn RTF body
    • http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn RTF body
    • http://www.w3.org/2001/XMLSchema-instanceIn RTF body
    • http://purl.org/dc/elements/1.1/In RTF body
    • http://purl.org/dc/terms/In RTF body
    • http://schemas.microsoft.com/internal/obdIn RTF body
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdIn RTF body
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdIn RTF body
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControlsIn RTF body
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn RTF body
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/formsIn RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000025.bin rtf-objdata-decoded RTF \objdata at offset 0x25 229 bytes
SHA-256: bdf6de0a64b3411ca5229f989a8704bb9f2ac8eac0d3b0c83ab62136585dd012
objdata_01_off0000021e.bin rtf-objdata-decoded RTF \objdata at offset 0x21E 577763 bytes
SHA-256: 2e58516ebfd204b3c6c6fa96fb36a05a777f1965bc70f5f28e3ed5ef20d6813c
objdata_02_off00127ccb.bin rtf-objdata-decoded RTF \objdata at offset 0x127CCB 1123 bytes
SHA-256: 263c6a332f8bed14e4d9417cab11f921ef8d301d5b5d655b5a43179ea58c7434
objdata_03_off001285ca.bin rtf-objdata-decoded RTF \objdata at offset 0x1285CA 86244 bytes
SHA-256: 0be9d9bc57e797711b906806417d481ada93fed84b74ff5f9c78eaafbf64dac6
objdata_04_off001527ca.bin rtf-objdata-decoded RTF \objdata at offset 0x1527CA 404 bytes
SHA-256: 392cac683130eb6402c5b549f0e7d1653f531eebb9a09e8b26c73d30cf6c8b98
objdata_05_off00152b2e.bin rtf-objdata-decoded RTF \objdata at offset 0x152B2E 937 bytes
SHA-256: e21955e19ee5e9c33caa29d20574aba20d6cc02b855734ac20377ad351eddf3c
objdata_06_off001532fe.bin rtf-objdata-decoded RTF \objdata at offset 0x1532FE 2633 bytes
SHA-256: ce081fd28fe7177ff803b92dfff0940839fdacbc316318ce15cbf8889540f4f0

Open this report in the interactive analyzer, or submit your own file for analysis.