Malicious RTF — malware analysis report

Static analysis result for SHA-256 0bd62252fc43a438…

MALICIOUS

RTF

737.1 KB Created: 2018-05-02 20:28:00 First seen: 2018-09-04
MD5: 86c723f52099c730792d536d663c2e71 SHA-1: 90ba41ab2c9d75b0ec37538a9269c7abc167803b SHA-256: 0bd62252fc43a438559314f7b244142162facb4036a68685b644ba8c396456ed
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c17.bin rtf-objdata-decoded RTF \objdata at offset 0x2C17 24123 bytes
SHA-256: b2e22676fee06896a873957859d0d48bf375417e7dd61140c112cfa4bcea6636
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off0001429d.bin rtf-objdata-decoded RTF \objdata at offset 0x1429D 24123 bytes
SHA-256: 976bb755054b06202a690e23ab3c822580926835f2b84b8e0185ffa7fccb45d2
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off00025923.bin rtf-objdata-decoded RTF \objdata at offset 0x25923 24123 bytes
SHA-256: bcbea9dab104fa781f61fa27e1f45a00996847dec9b575f9d990854184e75284
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00036fa9.bin rtf-objdata-decoded RTF \objdata at offset 0x36FA9 24123 bytes
SHA-256: 05a4e282d33542f855989da214f31036f5a288167aaaa06f8439075a243bf9fe
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0004862f.bin rtf-objdata-decoded RTF \objdata at offset 0x4862F 24123 bytes
SHA-256: 7e579204301cdbd25607cd9b1af14975faa92bb01fbeffa13a0319c2806717b5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off00059cff.bin rtf-objdata-decoded RTF \objdata at offset 0x59CFF 24123 bytes
SHA-256: 6e6367431b6fdbc85fcc15ac513693011834bb2b3dad73b405596fce18434a56
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006b385.bin rtf-objdata-decoded RTF \objdata at offset 0x6B385 24123 bytes
SHA-256: 1db456e212f98618268548a4f6d9587607e787d50f407bd804dc80605f419c79
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007ca0b.bin rtf-objdata-decoded RTF \objdata at offset 0x7CA0B 24123 bytes
SHA-256: 8d2ef883a01fca94f53dbd57d54716bd53b445bcc6b51d0c7e602a3e9dcc8fb2
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off0008e091.bin rtf-objdata-decoded RTF \objdata at offset 0x8E091 24123 bytes
SHA-256: ce81a9e243d61f57b1fb43823a7ece3ae63acb43b61d4944622e01de35e3673b
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off0009f717.bin rtf-objdata-decoded RTF \objdata at offset 0x9F717 24123 bytes
SHA-256: 6358b39bccba2be228cfc5c0bc34dcfd3a62a585644b32c1c81b29ed277286bf
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely