Malicious RTF — malware analysis report

Static analysis result for SHA-256 1b7b6d326b93e83a…

MALICIOUS

RTF

675.4 KB Created: 2017-11-02 10:36:00 First seen: 2018-08-14
MD5: 7ecfacb70f773bf32943efc676204c57 SHA-1: add934b52af471be2d108ae245f5b4bbf1b0ece8 SHA-256: 1b7b6d326b93e83a99214ef1ff3867c5b6f66b9defcc16fb44134ecaed4a4667
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a88.bin rtf-objdata-decoded RTF \objdata at offset 0x2A88 21057 bytes
SHA-256: aa180f6358842704632e9a92c6bee186afc5df90c69c310b17063bc48e1752f5
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00012897.bin rtf-objdata-decoded RTF \objdata at offset 0x12897 21057 bytes
SHA-256: 3da23e0fdcf0fefa377dbf088b7aed6183a24635bf248acb40af625ea35353cc
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off000226a8.bin rtf-objdata-decoded RTF \objdata at offset 0x226A8 21057 bytes
SHA-256: 6125421a735dc6eb850222802cbe5521aede27a7141fae73efd4f7c98d3afe4c
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000324b9.bin rtf-objdata-decoded RTF \objdata at offset 0x324B9 21057 bytes
SHA-256: 80f1e5f0e2f406e63ed2d3473667653e0d0209b82f772aa67da2de07f29c78c4
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off000422ca.bin rtf-objdata-decoded RTF \objdata at offset 0x422CA 21057 bytes
SHA-256: fd61f11a94d0491f494797cfc0d9c2c4e13f51d0fb9e6502b980908fbc95ea7e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off000520db.bin rtf-objdata-decoded RTF \objdata at offset 0x520DB 21057 bytes
SHA-256: 283a1b9d8de86316d84a6eba9fa869f55324c70ab34b53c3122768ea3df22f10
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00061eec.bin rtf-objdata-decoded RTF \objdata at offset 0x61EEC 21057 bytes
SHA-256: 23e478992d0ffed8dab020aa87c6bb1a16345791933512077b7243dbef130470
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off00071cfd.bin rtf-objdata-decoded RTF \objdata at offset 0x71CFD 21057 bytes
SHA-256: a3935ccca2e7f0e30a5a5d02ec92a8b23e56343da9c1be0292eeaaf907432fc4
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00081b0e.bin rtf-objdata-decoded RTF \objdata at offset 0x81B0E 21057 bytes
SHA-256: 23de7418acc74000dc8b3a0383fc18136c172cd991c4baa2fd1fb3be21d80d8c
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off0009191f.bin rtf-objdata-decoded RTF \objdata at offset 0x9191F 21057 bytes
SHA-256: 4b8ecbcd14d1078fea30d5c7ab74a5ef3aa7cd4b77bd9e380ec9fe10060e854d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely