Malicious RTF — malware analysis report

Static analysis result for SHA-256 1f4b511cdb789b61…

MALICIOUS

RTF

911.7 KB Created: 2019-09-17 13:59:00 First seen: 2020-06-01
MD5: 032503908d05f2c4c2daa0095c569bb1 SHA-1: 6afc5d18a7a692fa8cf3aacb459baabb6447d637 SHA-256: 1f4b511cdb789b6146839366413984b06a437c6f93db38d88a77bb250a004cea
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains an embedded OLE object that is configured to automatically update and activate. This activation is triggered by the CVE-2017-8759 vulnerability, which is known to be used for executing arbitrary code. The embedded object likely serves as a dropper for a secondary payload.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000dc752.bin rtf-objdata-decoded RTF \objdata at offset 0xDC752 1413 bytes
SHA-256: 198937381db7285108f9704340519e92d08abf078b28504981253483d0c04f03