Malicious RTF — malware analysis report

Static analysis result for SHA-256 1527f7b9bdea7752…

MALICIOUS

RTF

560.9 KB Created: 2020-03-16 22:31:00 First seen: 2020-05-25
MD5: 5e31d16d6bf35ea117d6d2c4d42ea879 SHA-1: f8fb81d0a0acf5815190e1c85d937e49bc1dfec7 SHA-256: 1527f7b9bdea7752f72ffcd8b0a97e9f05092fed2cb9909a463e5775e12bd2d6
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is indicative of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability in MSXML SAX for OLE activation. This suggests the file is designed to execute arbitrary code by leveraging this exploit, likely to download and run a secondary payload.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wo In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000cae6.bin rtf-objdata-decoded RTF \objdata at offset 0xCAE6 254204 bytes
SHA-256: e7425a88b54b5790035f256c5679dee864d733ad9a54d39fb5eb9f81d5ac2f3f
objdata_01_off00088d04.bin rtf-objdata-decoded RTF \objdata at offset 0x88D04 6847 bytes
SHA-256: a1fb4393faca0e534a7e9a9d9da49fac0d334accf172a6066859a726dc5fe7b8
objdata_02_off00088d1e.bin rtf-objdata-decoded RTF \objdata at offset 0x88D1E 6843 bytes
SHA-256: 8eca43c06a36e7ff44d4af16b08dc92196dfdd3e4ab0c799623c9327ea97e45c