Malicious RTF — malware analysis report

Static analysis result for SHA-256 167aafdfaa04977a…

MALICIOUS

RTF

505.6 KB Created: 2020-06-11 15:56:00
MD5: fdda4b2493c1e188e1f10db3c2cef067 SHA-1: 49f9177dd16bdb916b8c01b6ad4cdc5030c526f2 SHA-256: 167aafdfaa04977ae83d81a19cae24822b667e0e881ddc19f264c2bfb3e5b09c
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple embedded OLE objects, with one specifically triggering the ".objupdate" directive. This directive is known to activate embedded objects, leading to the exploitation of CVE-2017-8759. This vulnerability allows for arbitrary code execution, indicating a malicious intent to compromise the user's system.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002b2d.bin
ba6920a525614d65307a14feb4f04ba7ceab662d029af7441e4fe2dec4bec1bc		 rtf-objdata-decoded RTF \objdata at offset 0x2B2D 20539 bytes
objdata_01_off000112ef.bin
99edfaa7af0f6829151758a909020464d564c45aaec95ebcdc9d7c81916bd02b		 rtf-objdata-decoded RTF \objdata at offset 0x112EF 20539 bytes
objdata_02_off0001fbb8.bin
b7fbba9d0bf026f681221968cb8d0590fdb77a2695e627e1ecec9b0feb69b1fc		 rtf-objdata-decoded RTF \objdata at offset 0x1FBB8 20539 bytes
objdata_03_off0002e481.bin
07a7bef46db553188088bdc0efb4a8f2fd443dbb0174a5f7993396496238f2b3		 rtf-objdata-decoded RTF \objdata at offset 0x2E481 20539 bytes
objdata_04_off0003cd4a.bin
502b1bda774f3fbb3b551fdd71f9b15a10b0546e8af933bb59412aa573654fad		 rtf-objdata-decoded RTF \objdata at offset 0x3CD4A 20539 bytes
objdata_05_off0004b613.bin
6592e0d91c3f9741c9cb7f60c8bf5c837379f4a9c9ff8eb948366eb38fbc06f2		 rtf-objdata-decoded RTF \objdata at offset 0x4B613 20539 bytes
objdata_06_off00059edc.bin
3e42e7ddeb20582dcdd41eacb808eedc09a59cb050317804143d492679bd99d5		 rtf-objdata-decoded RTF \objdata at offset 0x59EDC 20539 bytes
objdata_07_off000687a5.bin
73124a7f85e75eda0625098497c10dba1fdabc621a74be5d6badd7597c060ec8		 rtf-objdata-decoded RTF \objdata at offset 0x687A5 20539 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.