MALICIOUS
380
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains OLE object data that is force-activated via \objupdate, exploiting CVE-2017-0199 or CVE-2017-8759. This mechanism is used to load and execute a secondary payload, indicated by Metasploit reverse shellcode and references to WinExec, VirtualAlloc, and LoadLibrary APIs. The ClamAV detection name further supports its role as a downloader.
Heuristics 9
-
CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical RTF_OLE2LINK_REMOTE_MONIKER_LOADERRTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage — through an INCLUDETEXT/INCLUDEPICTURE field or the OLE object's own moniker. This is the OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
-
ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
-
Metasploit reverse_tcp shellcode critical SC_MSF_REVERSEMetasploit reverse_tcp shellcode
Disassembly
Attempted x86 opcode disassembly00064C2C fc cld 00064C2D e882000000 call 0x64cb4 00064C32 5f pop edi 00064C33 5e pop esi 00064C34 5b pop ebx 00064C35 8be5 mov esp, ebp 00064C37 5d pop ebp 00064C38 c3 ret 00064C39 8d4000 lea eax, [eax] 00064C3C 53 push ebx 00064C3D 56 push esi 00064C3E 8bd8 mov ebx, eax 00064C40 3b5324 cmp edx, dword ptr [ebx + 0x24] 00064C43 7436 je 0x64c7b 00064C45 8bf2 mov esi, edx 00064C47 85f6 test esi, esi 00064C49 7518 jne 0x64c63 00064C4B 33c0 xor eax, eax 00064C4D 8a4318 mov al, byte ptr [ebx + 0x18] 00064C50 8b048528ef4700 mov eax, dword ptr [eax*4 + 0x47ef28] 00064C57 50 push eax 00064C58 a1f06c4800 mov eax, dword ptr [0x486cf0] 00064C5D 8b00 mov eax, dword ptr [eax] 00064C5F ffd0 call eax 00064C61 8bd0 mov edx, eax 00064C63 895324 mov dword ptr [ebx + 0x24], edx 00064C66 c6434401 mov byte ptr [ebx + 0x44], 1 00064C6A 8b4304 mov eax, dword ptr [ebx + 4] 00064C6D e8ba060000 call 0x6532c 00064C72 85f6 test esi, esi 00064C74 7505 jne 0x64c7b 00064C76 33c0 xor eax, eax 00064C78 894324 mov dword ptr [ebx + 0x24], eax 00064C7B 5e pop esi 00064C7C 5b pop ebx 00064C7D c3 ret 00064C7E 8bc0 mov eax, eax 00064C80 3b5028 cmp edx, dword ptr [eax + 0x28] 00064C83 7413 je 0x64c98 00064C85 895028 mov dword ptr [eax + 0x28], edx 00064C88 c6402c00 mov byte ptr [eax + 0x2c], 0
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000001d7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1D7 | 2598 bytes |
SHA-256: a146c6985c10cbb56b61e41b392364f6f1e5bee352ccf463b85b1634b13ec499 |
|||
objdata_01_off00001905.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1905 | 2674 bytes |
SHA-256: e293e79ea09eae7ddd4701951c07de9d4affcb93fe1bb6b246b18458b3d3f766 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.