Rtf.Downloader.CVE_2017-6336326-3 — RTF malware analysis

Static analysis result for SHA-256 214ef0805e3087a4…

MALICIOUS

RTF

5.6 KB First seen: 2023-05-13
MD5: 741cc524dd3c4c55ce9d36286597c137 SHA-1: 395c1296fb49eb615d534092fc651e243c372270 SHA-256: 214ef0805e3087a4ff63a0baf1a284eaaf11780788083f19d4477276b6ad90e6
222 Risk Score

Malware Insights

Rtf.Downloader.CVE_2017-6336326-3 · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1566.001 Phishing: Spearphishing Attachment T1190 Exploit Public-Facing Application

This RTF document exploits the CVE-2017-8759 vulnerability, which is related to SOAP Moniker processing. The presence of OLE object data and automatic linking suggests an attempt to embed and activate malicious content. The ClamAV detection confirms this is a downloader, likely to fetch and execute a second-stage payload.

Heuristics 6

  • SOAP Moniker — CVE-2017-8759 (SOAP WSDL RCE) critical CVE related CVE_2017_8759
    RTF \objdata decodes to OLE data containing the SOAP Moniker — CVE-2017-8759 (SOAP WSDL RCE) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000001a2.bin
92f2bcfb14febd83e5c5cc9ca5c18c4e1aecc8e3ef60fdf2094ba23fdfd32474		 rtf-objdata-decoded RTF \objdata at offset 0x1A2 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.