Malicious RTF — malware analysis report

Static analysis result for SHA-256 1ae90a2568210c4c…

MALICIOUS

RTF

54.3 KB First seen: 2017-11-29
MD5: f464cae8b7c759237544da8f3645f4d8 SHA-1: cf6915d6c65c35648b23e8137c37ea3d3dc61251 SHA-256: 1ae90a2568210c4c713e871c615892c174a5bb9f181141baca29460f499b7483
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data that is automatically linked and updated, triggering remote code execution. This is indicative of exploitation for client execution, likely delivered via spearphishing. The specific vulnerabilities exploited are CVE-2017-0199 and CVE-2017-8759, which allow for the loading of remote content.

Heuristics 4

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage — through an INCLUDETEXT/INCLUDEPICTURE field or the OLE object's own moniker. This is the OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003f.bin rtf-objdata-decoded RTF \objdata at offset 0x3F 3125 bytes
SHA-256: 0b8c65b3ae12b014d4df5024850b74b0ee85f8b1f48e387b42474e8a29ef747d