Malicious RTF — malware analysis report

Static analysis result for SHA-256 1c2456bfc3dd5d67…

MALICIOUS

RTF

841.4 KB Created: 2018-03-12 22:48:00 First seen: 2018-06-21
MD5: 357c9ec9b89e3392235499295a191785 SHA-1: 6ba9eead97c325df72329e208d140a56cd574ddd SHA-256: 1c2456bfc3dd5d67413915adb867bdec6ba7c99cee96bf2a3e4fe28a4992c05e
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c4c.bin rtf-objdata-decoded RTF \objdata at offset 0x2C4C 28731 bytes
SHA-256: 0f878a9ab683d654561495efed2b2b626926bb2cee11e0a54c24838dd35a36e8
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016c8d.bin rtf-objdata-decoded RTF \objdata at offset 0x16C8D 28731 bytes
SHA-256: 231f4e254004558ac141cb152997de8e0e817a3f568ed7c6c024a85ec4b01792
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off0002acce.bin rtf-objdata-decoded RTF \objdata at offset 0x2ACCE 28731 bytes
SHA-256: a02c69753411b5c6788c9c0972ece594214009d630a478057566eae7cd8a2f09
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off00052d50.bin rtf-objdata-decoded RTF \objdata at offset 0x52D50 28731 bytes
SHA-256: 1fa5f19d0b1f7ab3070fead3b458d54aa95c57493f8dc60126852607aaf8add2
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off0007ae1c.bin rtf-objdata-decoded RTF \objdata at offset 0x7AE1C 28731 bytes
SHA-256: b982feb53e36ef0b0ca658a3c133a7f42ecf2a85fa79651511cb2282078c043d
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a2e9e.bin rtf-objdata-decoded RTF \objdata at offset 0xA2E9E 28731 bytes
SHA-256: 7e1af58b738f456ccefbc068321daff4ff93bae41dddc8fc2af592e9fa2087f1
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.