Malicious RTF — malware analysis report

Static analysis result for SHA-256 1fd4173eb4acb820…

MALICIOUS

RTF

724.5 KB Created: 2013-03-13 17:07:00 Authoring application: Microsoft Word 11.0.5604 First seen: 2015-02-05
MD5: 1b154aac57f283644d39aa3d5d7d6b0e SHA-1: ddb11b52208e1b59a70b6f3637d54b4e1c9541db SHA-256: 1fd4173eb4acb820924c3f1a057fdbae54f8e74628e239cc3fffda5795124470
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data, specifically triggering the CVE-2012-0158 vulnerability related to MSCOMCTL.OCX. This indicates an attempt to exploit a client-side vulnerability for code execution. The presence of shellcode candidates within the extracted objdata further supports this. While one URL is benign, another is unclassified, and the file's primary function appears to be exploiting this known vulnerability, likely as part of a phishing campaign.

Heuristics 4

  • MSCOMCTL.TreeView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.TreeView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www1.kaiho.mlit.go.jp/press/taiken-HP/newpage-taiken.html In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002ece.bin rtf-objdata-decoded RTF \objdata at offset 0x2ECE 60541 bytes
SHA-256: ebfb5fead527bcd0c19cd508dade532557bf39aec42fac3cc4f3cdf00addf717
objdata_01_off0003d26f.bin rtf-objdata-decoded RTF \objdata at offset 0x3D26F 20196 bytes
SHA-256: 5d6d90921df341b61e5d575abd0888715b55e15e212508ce5b9c95e40b127bd1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS
objdata_02_off0003d28f.bin rtf-objdata-decoded RTF \objdata at offset 0x3D28F 20190 bytes
SHA-256: 2ae244194108dd44c879ae8332a9b61946e8e2e7c642afdd79d36c449cf75a84
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS