Malicious RTF — malware analysis report

Static analysis result for SHA-256 1020eedb2196bdd8…

MALICIOUS

RTF

378.9 KB Created: 2019-01-20 14:19:00 First seen: 2019-08-04
MD5: cce651966d0497b5c419350dd2f7db13 SHA-1: eb0d86145a1b0da8c8502cee82564c8edad40235 SHA-256: 1020eedb2196bdd8313006b8c95c5ef83e463a7e6f5a7f972a635fe03976fc5c
202 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple OLE objects and triggers the ".objupdate" directive, indicating an attempt to activate embedded objects. The critical heuristic firing for CVE-2017-8759 confirms exploitation of MSXML SAX OLE activation. This suggests the file is designed to exploit this vulnerability to execute arbitrary code, likely as a payload delivery mechanism.

Heuristics 6

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0004169f.bin rtf-objdata-decoded RTF \objdata at offset 0x4169F 8592 bytes
SHA-256: 67ff0449c56810ed91342d38f4bcc93b13e25946a55d6fed92fc2708e3e82c64
objdata_01_off00045a6f.bin rtf-objdata-decoded RTF \objdata at offset 0x45A6F 18049 bytes
SHA-256: 6c968ac1eb97ead0192cea97f45b634e9a9a6ac10b9fc522e7dc3a01013671cf
objdata_02_off00050e9b.bin rtf-objdata-decoded RTF \objdata at offset 0x50E9B 16821 bytes
SHA-256: a111ccc1f93772e287d5c10b2ec626d2bd40d66899cb63528663bcfb1f9790e0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_URLDOWNLOAD, SC_PEB_ACCESS Static shellcode analysis recovered API/import strings: LoadLibraryW, GetProcAddress, URLDownloadToFileW, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.