Malicious RTF — malware analysis report

Static analysis result for SHA-256 117499736b9afbb1…

MALICIOUS

RTF

732.4 KB Created: 2018-05-02 19:32:00 First seen: 2019-05-16
MD5: 2cc7fc98e38f1e1b968a6c28fd445c38 SHA-1: 9c9249862ba0105be67748334507445cf1a060a3 SHA-256: 117499736b9afbb1abc8f865801348c016bad82c0c89d1fb0b133f695a10c3a8
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c16.bin rtf-objdata-decoded RTF \objdata at offset 0x2C16 24123 bytes
SHA-256: 1d44498f62472863278f46c8e1ebeffa797930897d4e7a98c6bdfc15377241ca
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off000140bd.bin rtf-objdata-decoded RTF \objdata at offset 0x140BD 24123 bytes
SHA-256: a936a9fd1c7324d79fc32ef43d9b1723b672e302312d4ad1404dca57fe8c13cd
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off00025564.bin rtf-objdata-decoded RTF \objdata at offset 0x25564 24123 bytes
SHA-256: 54d8fd3b44bb38cf15344010e42352fd42b03489c80062d1f9681efad4b85a34
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00036a0b.bin rtf-objdata-decoded RTF \objdata at offset 0x36A0B 24123 bytes
SHA-256: 0bd08a9bb4a07a8f5d672c6542adbc577b3253d9c259f37a41768ff0f86531c6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off00047eb2.bin rtf-objdata-decoded RTF \objdata at offset 0x47EB2 24123 bytes
SHA-256: 4cac3f5100345e0fe9fe6e9c232744d88e419511d314f8959fc39ed492dda37f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000593a3.bin rtf-objdata-decoded RTF \objdata at offset 0x593A3 24123 bytes
SHA-256: 5b49702dde27c4e9d1c16837771763c2b8beda8877e9a4b72e773317e1a0cc6f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006a84a.bin rtf-objdata-decoded RTF \objdata at offset 0x6A84A 24123 bytes
SHA-256: e6248ea0d5b498face41e52927af300bd8786934435ff388840fc83a896511e1
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007bcf1.bin rtf-objdata-decoded RTF \objdata at offset 0x7BCF1 24123 bytes
SHA-256: 67f4b7eb1c10261792bd1c338515a04a1d2b235332e15e3ad93975c46d3db990
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off0008d198.bin rtf-objdata-decoded RTF \objdata at offset 0x8D198 24123 bytes
SHA-256: dccd3e2526d2bafc60d717037e1bff588f47e83fa76b2a9e6bb4650d369823e4
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off0009e63f.bin rtf-objdata-decoded RTF \objdata at offset 0x9E63F 24123 bytes
SHA-256: 3f32f9d89e9c046594a3ec4ed140df96bae3857bc209fde80c65bedf12bf7d3a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely