Malicious RTF — malware analysis report

Static analysis result for SHA-256 0c63ef29d5a9674a…

MALICIOUS

RTF

1.01 MB First seen: 2017-04-18
MD5: 8d5ac93ef3d04b979bfdad24f9674b00 SHA-1: 5bf0d5d9b3844d41538a4213cc92dae169cb428d SHA-256: 0c63ef29d5a9674a00bb71a150d2ae6f3dc856a43291e79260992f08fdcd53d3
244 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and triggers heuristics related to composite monikers and remote URL inclusion, specifically pointing to 'http://aliandqazi.com/Jobs/'. ClamAV detections confirm the presence of an exploit targeting CVE-2015-1641, indicating the file's malicious intent is to leverage this vulnerability for execution. The document body, while appearing to be about UN career opportunities, is a lure to disguise the malicious payload.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2015_1641-6397417-0
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.unsystem.org/ In RTF body
    • http://www.unsystem.org/jobs/job_opportunities.htmIn RTF body
    • http://www.unmis.org/English/recruitement.htmIn RTF body
    • http://www.jposc.org/content/programme/presentation-en.htmlIn RTF body
    • http://www.jposc.org/content/programme/other_programmes-en.htmlIn RTF body
    • http://www.unvienna.org/unov/job/internship_general_info.htmlIn RTF body
    • http://www.worldvolunteerweb.org/take-In RTF body
    • http://www.jposc.org/content/programme/how_to_become_a_JPO-en.html#2In RTF body
    • http://www.unsystem.org/jobs/job_opportunities.htm}{In RTF body
    • http://www.jposc.orgIn RTF body
    • http://www.jposcIn RTF body
    • http://www.worldvolunteerweb.org/take-action/be-a-volunteer.htmlIn RTF body
    • http://www.worldvolunteerweb.org/take-action/beIn RTF body
    • http://www.jposc.org/content/programme/hIn RTF body
    • http://www.unicefIn RTF body
    • http://aliandqazi.com/Jobs/In RTF body
    • http://www.un.org/aboutun/chart.htmlIn RTF body
    • https://jobs.un.org/Galaxy/Release3/vacancy/vacancy.aspxIn RTF body
    • https://jobs.un.org/Galaxy/Release3/VacancyFM/VA_Regions.aspx?lang=1200In RTF body
    • http://www.reliefweb.int/rw/dbc.nsf/doc100?OpenFormIn RTF body
    • http://www.un.org/Depts/OHRM/examin/exam.htmIn RTF body
    • http://www.state.gov/g/prm/jpoae/In RTF body
    • http://www.un.org/Depts/OHRM/sds/internsh/index.htmIn RTF body
    • http://www.un.org/esa/socdev/unyin/internships.htmIn RTF body
    • http://www.unog.ch/80256EDD006AC19C/(httpPages)/A422C95289E684DD80256EF300344EFD?OpenDocumentIn RTF body
    • http://www.unv.org/In RTF body
    • http://jobs.undp.org/In RTF body
    • http://www.unhcr.org/admin/3ba1d4794.htmlIn RTF body
    • http://www.unhcr.org/admin/3b8a31f94.htmlIn RTF body
    • http://www.wfp.org/contact_wfp/vacancies/professionals.htmlIn RTF body
    • http://www.wfp.org/contact_wfp/vacancies/interns.asp?section=8&sub_section=5In RTF body
    • http://www.wfp.org/contact_wfp/vacancies/jpo.htmlIn RTF body
    • http://www.unicef.org/about/employ/index_currentvacancies.htmlIn RTF body
    • http://www.unicef.org/about/employ/index_jpp.htmlIn RTF body
    • http://www.unicef.org/about/employ/index_ypp.htmlIn RTF body
    • http://www.unicef.org/about/employ/index_internship.htmlIn RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
    • https://jobs.un.org/GalaxIn RTF body
    • http://www.state.gov/g/prm/jpoae/}{In RTF body
    • http://www.unog.ch/80256EDD006In RTF body
    • http://www.unv.org/about/undp.htmIn RTF body
    • http://www.unhcr.org/admin/3ba1d4794.hIn RTF body
    • http://www.unhcr.org/admin/ADMIN/3e365dd77.htmlIn RTF body
    • http://www.unhcr.org/aIn RTF body
    • http://www.wfp.org/contact_wfp/vacancies/professionalsIn RTF body
    • http://i-recruitment.wfp.org/olcv/positions.jsp?pg=profile&user=extIn RTF body
    • http://www.wfp.org/contact_wfp/vacancies/interns.aIn RTF body
    • http://www.wfp.org/contact_wfp/vacancies/jpoIn RTF body
    • http://www.unicef.org/about/employ/index_internsIn RTF body
    • http://www.maxwell.syr.edu/In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00019f2b.bin rtf-objdata-decoded RTF \objdata at offset 0x19F2B 45 bytes
SHA-256: 083c2e8b44386e792363878581e7e6cc02382e07194162f33517c429dfbcec43
objdata_01_off0001a900.bin rtf-objdata-decoded RTF \objdata at offset 0x1A900 442417 bytes
SHA-256: 27a4c87cfe9b259b1d5491db1302f6c770b772679735031c2cd55ab7bba93dd9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
objdata_02_off000f519b.bin rtf-objdata-decoded RTF \objdata at offset 0xF519B 15334 bytes
SHA-256: 0477aa781fc8629f7d668efda3900c020370d3cdbb61d7f1878474a165729c2f
Detection
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload: unlikely