Malicious RTF — malware analysis report

Static analysis result for SHA-256 1183b99029269939…

MALICIOUS

RTF

918.5 KB Created: 2018-05-10 16:12:00 First seen: 2019-06-27
MD5: 12204884a2f0aee9ef4b48b64717f023 SHA-1: 0163f3f3107c33fac75f3a58a264aef44c3dc579 SHA-256: 1183b990292699393452290b7bbf605d36bba78cccf8b6c048b32609d99825f8
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c1e.bin rtf-objdata-decoded RTF \objdata at offset 0x2C1E 33339 bytes
SHA-256: 0998169e7c7294473bcb9e862e61c550c26b7b00de24a4df2a3f2ac4116334ad
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b3a.bin rtf-objdata-decoded RTF \objdata at offset 0x18B3A 33339 bytes
SHA-256: 1f4d841fe26810c80b0a26bfeec56b7d93a57752dd52ac011ce5bffaea58cd3e
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea56.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA56 33339 bytes
SHA-256: cdb558ce1dc320befcce94c057e40e31d4c4b2d71538652896127802e89e868c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044972.bin rtf-objdata-decoded RTF \objdata at offset 0x44972 33339 bytes
SHA-256: aa4058fc948589765cb3262d8330473b5fc61c0cf0357252759549d056cf538a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a88e.bin rtf-objdata-decoded RTF \objdata at offset 0x5A88E 33339 bytes
SHA-256: 42ed4130250f7ac306d3f9febb8f2889906cdf67f1eb25ffaede83762793d3ff
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707f6.bin rtf-objdata-decoded RTF \objdata at offset 0x707F6 33339 bytes
SHA-256: a9f5331fbf7ca83412490685f4b99214a116f0b2de3c793666939ef121c93920
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off00086712.bin rtf-objdata-decoded RTF \objdata at offset 0x86712 33339 bytes
SHA-256: 96831341a90731dfcc664d0f7155a84e1d794475d0dd165fba28198772820c79
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c62e.bin rtf-objdata-decoded RTF \objdata at offset 0x9C62E 33339 bytes
SHA-256: 84028b57dcadc2d40ad138fcd9fa2638bd0d16d554fa6d9a2813d286810d2330
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b254a.bin rtf-objdata-decoded RTF \objdata at offset 0xB254A 33339 bytes
SHA-256: 666dfb0229eda29599c07760dd70f8dda10a36177387ba6b067461cab9b233a6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c8466.bin rtf-objdata-decoded RTF \objdata at offset 0xC8466 33339 bytes
SHA-256: 798612c7ce3d574af489c457314321443f2dd5b3b1f75d976b35351f3ca25f1d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely