Malicious RTF — malware analysis report

Static analysis result for SHA-256 0c346972a2ccebb2…

MALICIOUS

RTF

337.5 KB Created: 2021-05-17 23:34:00 First seen: 2021-05-29
MD5: d598749a8c86b1cdd313ff6c86626c86 SHA-1: 417e4274771a9614d49493157761c12e54060588 SHA-256: 0c346972a2ccebb2642ced34213f43595896da233f06f6251967517ae342908f
284 Risk Score
Tags
sharppanda

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of malicious activity, including OLE object embedding and activation, heap spraying, and a critical detection for CVE-2017-8759. This vulnerability is known to be exploited by droppers to download and execute further malicious content. The ClamAV detection 'Doc.Dropper.RoyalRoadRTF-9874342-0' further supports this assessment.

Heuristics 9

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.RoyalRoadRTF-9874342-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.RoyalRoadRTF-9874342-0
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly
    Attempted x86 opcode disassembly
    00052836  41                inc ecx
00052837  41                inc ecx
00052838  41                inc ecx
00052839  41                inc ecx
0005283A  41                inc ecx
0005283B  41                inc ecx
0005283C  41                inc ecx
0005283D  41                inc ecx
0005283E  41                inc ecx
0005283F  41                inc ecx
00052840  41                inc ecx
00052841  41                inc ecx
00052842  41                inc ecx
00052843  41                inc ecx
00052844  41                inc ecx
00052845  41                inc ecx
00052846  41                inc ecx
00052847  41                inc ecx
00052848  41                inc ecx
00052849  41                inc ecx
0005284A  41                inc ecx
0005284B  41                inc ecx
0005284C  41                inc ecx
0005284D  41                inc ecx
0005284E  41                inc ecx
0005284F  41                inc ecx
00052850  41                inc ecx
00052851  41                inc ecx
00052852  41                inc ecx
00052853  41                inc ecx
00052854  41                inc ecx
00052855  41                inc ecx
00052856  41                inc ecx
00052857  41                inc ecx
00052858  41                inc ecx
00052859  41                inc ecx
0005285A  41                inc ecx
0005285B  41                inc ecx
0005285C  41                inc ecx
0005285D  41                inc ecx
0005285E  41                inc ecx
0005285F  41                inc ecx
00052860  41                inc ecx
00052861  41                inc ecx
00052862  41                inc ecx
00052863  41                inc ecx
00052864  41                inc ecx
00052865  41                inc ecx
00052866  41                inc ecx
00052867  41                inc ecx
00052868  41                inc ecx
00052869  41                inc ecx
0005286A  41                inc ecx
0005286B  41                inc ecx
0005286C  41                inc ecx
0005286D  41                inc ecx
0005286E  41                inc ecx
0005286F  41                inc ecx
00052870  41                inc ecx
00052871  41                inc ecx
00052872  41                inc ecx
00052873  41                inc ecx
00052874  41                inc ecx
00052875  41                inc ecx
00052876  41                inc ecx
00052877  41                inc ecx
00052878  41                inc ecx
00052879  41                inc ecx
0005287A  41                inc ecx
0005287B  41                inc ecx
0005287C  41                inc ecx
0005287D  41                inc ecx
0005287E  41                inc ecx
0005287F  41                inc ecx
00052880  41                inc ecx
00052881  41                inc ecx
00052882  41                inc ecx
00052883  41                inc ecx
00052884  41                inc ecx
00052885  41                inc ecx
00052886  41                inc ecx
00052887  41                inc ecx
00052888  41                inc ecx
00052889  41                inc ecx
0005288A  41                inc ecx
0005288B  41                inc ecx
0005288C  41                inc ecx
0005288D  41                inc ecx
0005288E  41                inc ecx
0005288F  41                inc ecx
00052890  41                inc ecx
00052891  41                inc ecx
00052892  41                inc ecx
00052893  41                inc ecx
00052894  41                inc ecx
00052895  41                inc ecx
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00007ab8.bin rtf-objdata-decoded RTF \objdata at offset 0x7AB8 145636 bytes
SHA-256: 9a8a71793a4862d9c97cbc57b85b91feca6b54cc844291f8f375d602048e27ba
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off0004fa7d.bin rtf-objdata-decoded RTF \objdata at offset 0x4FA7D 8896 bytes
SHA-256: bb68150de7c41917028f9d8188775364cf71196890073fd3d38310751f83dd40
objdata_02_off0004fa97.bin rtf-objdata-decoded RTF \objdata at offset 0x4FA97 8892 bytes
SHA-256: 4cbc11f321a22bd3669d4faa5b04823a6bf1dd5e7fb0a359f1c642b1d2c255ec

Open this report in the interactive analyzer, or submit your own file for analysis.