RTF malware analysis — malicious · 1bfd7e3dfa33d09b

MALICIOUS

RTF

876.3 KB Created: 2018-05-02 20:25:00 First seen: 2019-11-20

MD5: dd509f7b263b4f679ed1531a5f79dd16 SHA-1: 3b9cf62b9a4c5a863da4505daa3122d791070f3e SHA-256: 1bfd7e3dfa33d09bf9e5a5829bfd547b7c31abd923b3e03dd4062a7124ced2fa

262 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 12 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002c1b.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2C1B	24123 bytes
SHA-256: `d985b81cedd5cf06739a8690205448b4eb12729038c9988da7024a1b0c976ca3`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_01_off000142a5.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x142A5	24123 bytes
SHA-256: `2d576788acbeb31285a865bf0fb8212ed10b1986bd1e12663be93daa404e35de`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_02_off0002592f.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2592F	24123 bytes
SHA-256: `91025d346091bb94da48ab88812ee8042dfef3d0b30efb70a46f632a43878340`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_03_off00036fb9.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x36FB9	24123 bytes
SHA-256: `30cabe64ea91260c03c43ba02630635f7c8c552e3d43479f60de7b76d2d15000`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_04_off00048643.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x48643	24123 bytes
SHA-256: `9f57cd1544c51c30e2e4bd358cfe84b69e8e12d22c7bab708e71ec2257c481a1`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_05_off00059d19.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x59D19	24123 bytes
SHA-256: `234a295f31611979f71ac6225464bfe50ed8d0f43f2f22994e9984155c3f0965`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_06_off0006b3a3.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x6B3A3	24123 bytes
SHA-256: `b81c59dfcbf4444d11476d4bb18ed880682b66e25b8e84faa8c3ea1945eb4644`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_07_off0007ca2d.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x7CA2D	24123 bytes
SHA-256: `8ca51ac37c49a9ff123d3ada75fb1dc31e9fed1f456b98a7529362698790d5df`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_08_off0008e0b7.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x8E0B7	24123 bytes
SHA-256: `54e232fbf4babaf340deb59703cece46482ed7c1091d24dff20287c9fc129731`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_09_off0009f741.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x9F741	24123 bytes
SHA-256: `566ccaaf853a3b76e3d39b1a9e65c063c64099f8404df44f357feaa30be495ef`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_10_off000b0e17.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xB0E17	24123 bytes
SHA-256: `f357a46e14fb55a3fe3f0d066795d8188fa240b88de36eb449eb49a3e7563774`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_11_off000c24a1.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xC24A1	24123 bytes
SHA-256: `26916214f427fc15db88f055415098cb03d67be7626078e70afd05320a3c4778`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.