Malicious RTF — malware analysis report

Static analysis result for SHA-256 08eab94333a92ede…

MALICIOUS

RTF

918.5 KB Created: 2018-05-07 First seen: 2018-05-18
MD5: 50989eaf5f6b438b1fca90fd2f96d7d2 SHA-1: 2d2d3a6357a11d3c3b93b84714eab031e02222f6 SHA-256: 08eab94333a92ede47ea078b9f364f1380055ee486e0a2c19e1dc506bd7d83b6
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c11.bin rtf-objdata-decoded RTF \objdata at offset 0x2C11 33339 bytes
SHA-256: 74062d45cae4ea5c1967236d60d6985eca4dbf869d78cacd9e4c2fd026669641
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b2d.bin rtf-objdata-decoded RTF \objdata at offset 0x18B2D 33339 bytes
SHA-256: fa5a80e783b7af57eac3371f0b4b02b0346832f17036ae9be17c2997ea7fd5f4
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea49.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA49 33339 bytes
SHA-256: 5f6e4d774db876726c04d546e5a354cebafff84afc1e40081388a48d03bf810d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044965.bin rtf-objdata-decoded RTF \objdata at offset 0x44965 33339 bytes
SHA-256: 08980089f487b0c53ac3959bb0f59fb11a850f637190eed170517b778ae78035
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a881.bin rtf-objdata-decoded RTF \objdata at offset 0x5A881 33339 bytes
SHA-256: a814bd17e4821274eec062bd2396596fc1a6d759dac82ebe4503c02d97637cf5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707e9.bin rtf-objdata-decoded RTF \objdata at offset 0x707E9 33339 bytes
SHA-256: 0f77744282941a3e3b200d348f0005c9cf06415f6994bc30198e824859d26019
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off00086705.bin rtf-objdata-decoded RTF \objdata at offset 0x86705 33339 bytes
SHA-256: 261a7e977c81a7d51005128a113a958aed9cb2f7c692a6eaa2ee8fc41bb6b62c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c621.bin rtf-objdata-decoded RTF \objdata at offset 0x9C621 33339 bytes
SHA-256: 378ca89f5c46d8649b64547cb352174158214bb326a5919a986c4b3eb6606326
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b253d.bin rtf-objdata-decoded RTF \objdata at offset 0xB253D 33339 bytes
SHA-256: 619d20a6906cd5e87ea85c984edd861a8efe7390dc23caf82a6d10418ed6ebef
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c8459.bin rtf-objdata-decoded RTF \objdata at offset 0xC8459 33339 bytes
SHA-256: ff96001c20cfad642e48b48860f65e13f95a6ede2b421469fb26e4eedd690c61
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.