Malicious RTF — malware analysis report

Static analysis result for SHA-256 21f5514d6256a20d…

MALICIOUS

RTF

6.28 MB Authoring application: LibreOffice/5.3.7.2$Linux_X86_64 LibreOffice_project/6b8ed514a9f8b44d37a1b96673cbbdd077e24059 First seen: 2020-02-04
MD5: 598eeb6a18233023f3551097aa49b083 SHA-1: e9a46966f93fe15c22636a5033c61c725add8fa5 SHA-256: 21f5514d6256a20dcf9af315ee742d6d2a5b07009b200b447c45b2e8f057361d
522 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of malicious activity, including OLE object data, composite monikers, and embedded PE headers, strongly suggesting the exploitation of CVE-2017-8570. ClamAV detections for 'Win.Trojan.Agent-6580303-0' and 'Xml.Malware.Squiblydoo-6728833-0' on an extracted artifact further confirm its malicious nature. The file likely acts as a dropper for a trojan payload.

Heuristics 12

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Win.Trojan.Agent-6580303-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-6580303-0
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1938KB of hex-encoded data inside \objdata sections — may hide a payload
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 6 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.cnarc.info/index.php%20%20/organization In RTF body
    • https://www.cnarc.info/index.php}{In RTF body
    • http://afops.orgIn RTF body
    • https://pag.arcticportal.org/about-pagIn RTF body
    • http://english.gov.cn/archive/publications/2017/06/20/content_281475691873460.htmIn RTF body
    • http://www.scio.gov.cn/zfbps/32832/Document/1618243/1618243.htmIn RTF body
    • http://www.fmprc.gov.cnIn RTF body
    • http://www.china.org.cn/node_7247529/content_40569136.htmIn RTF body
    • https://www.cryopolitics.com/2015/06/23/the-donut-hole-at-the-center-of-the-arctic-ocean/In RTF body
    • http://newsnowfinland.fi/news-now-original/the-ice-dragon-cometh-chinas-arctic-ambitionsIn RTF body
    • https://gbtimes.com/china-finland-in-talks-about-arctic-telecom-cableIn RTF body
    • http://www.tpk.fi/public/default.aspx?contentid=360378&culture=en-USIn RTF body
    • http://www.usertrust.com1In RTF body
    • http://ocsp.usertrust.com0In RTF body
    • https://secure.comodo.net/CPS0CIn RTF body
    • http://ocsp.comodoca.com0In RTF body
    • http://www.csis.org/In RTF body
    • https://www.adn.com/politics/2017/11/08/report-alaska-gas-line-agency-signs-agreement-with-chinese-oil-company-financial-institutions/In RTF body
    • https://www.adn.com/politics/2017/11/08/report-alaska-}{}}}{In RTF body
    • https://www.bloomberg.com/news/articles/2017-10-26/china-to-get-first-yamal-lng-cargo-as-russia-says-thank-youIn RTF body
    • https://www.bloomberg.com/news/articles/2017-10-26/china-to-get-first-yamal-lng-cargo-as-russia-says-thank-}{}}}{In RTF body
    • https://www.loc.gov/law/help%20/us-treaties/bevans/m-ust000002-0269.pdfIn RTF body
    • https://www.loc.gov/law/help}{In RTF body
    • https://csis-prod.s3.amazonaws.com/s3fs-public/publication/171027_Conley_MaritimeFutures_Web.pdf?mHPGy0uKqRMcek0zw6av5jI332MeELk5In RTF body
    • https://csis-prod.s3.amazonaws.com/s3fs-}{}}}{In RTF body
    • https://thebarentsobserver.com/en/arctic/2017/09/chinese-company-cosco-confirms-interest-trans-arctic-shipping-arkhangelskIn RTF body
    • https://thebarentsobserver.com/en/arctic/2017/09/chinese-company-cosco-}{}}}{In RTF body
    • https://af.reuters.com/article/commoditiesNews/idAFL8N15P1OKIn RTF body
    • https://www.ft.com/content/22842e82-9979-11e4-a3d7-00144feabdc0In RTF body
    • http://www.miningweekly.com/article/greenland-minerals-teams-up-with-shenghe-on-kvanefjeld-development-2016-09-23/rep_id:3650In RTF body
    • http://www.miningweekly.com/article/greenland-minerals-teams-up-with-shenghe-on-}{}}}{In RTF body
    • https://thediplomat.com/2015/05/china-iceland-and-the-arctic/In RTF body
    • https://thediplomat.com/2015/05/china-}{}}}{In RTF body
    • https://qz.com/176908/the-chinese-property-tycoon-who-wanted-to-buy-a-chunk-of-iceland-may-settle-for-norway/In RTF body
    • https://qz.com/176908/the-chinese-property-tycoon-who-wanted-to-buy-a-chunk-of-iceland-}{}}}{In RTF body
    • http://www.nytimes.com/2013/04/16/business/global/16iht-iceland16.htmlIn RTF body
    • https://thebarentsobserver.com/en/arctic/2017/10/chinas-arctic-road-and-belt-gambitIn RTF body
    • https://gov.alaska.gov/newsroom/2017/11/presidents-trump-and-xi-witness-historic-signing-of-joint-development-agreement-for-alaska-lng/In RTF body
    • https://gov.alaska.gov/newsroom/2017/11/presidents-}{}}}{In RTF body
    • https://www.state.gov/e/oes/ocns/opa/rls/276136.htmIn RTF body
    • http://schemas.microsoft.com/windows/2004/02/mit/taskIn RTF body
    • http://www.w3.org/2001/XMLSchemaIn RTF body
    • http://schemas.microsoft.com/windows/2004/02/mit/taskTIn RTF body
    • https://taskscheduler.codeplex.com/In RTF body
    • http://crl.usertrust.com/UTN-USERFirst-Object.crl05In RTF body
    • http://crl.comodoca.com/COMODORSACodeSigningCA.crl0tIn RTF body
    • http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$In RTF body
    • http://crl.comodoca.com/COMODORSACertificationAuthority.crl0qIn RTF body
    • http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0021906e.bin rtf-objdata-decoded RTF \objdata at offset 0x21906E 1093333 bytes
SHA-256: f4df80a38e2e28fbddf88d9856a4d2932afe863fc66f1dd0b757ba1c58211fbb
objdata_01_off0042ee57.bin rtf-objdata-decoded RTF \objdata at offset 0x42EE57 707 bytes
SHA-256: e60b6b27cf314e7b5f8edd9ff69e062f2d3f8b2408da6d926d66508ba1fd065f
Detection
ClamAV: Xml.Malware.Squiblydoo-6728833-0
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell").Run("cmd /c %tmp%\\qrat.exe",0,false);
objdata_02_off0042f42c.bin rtf-objdata-decoded RTF \objdata at offset 0x42F42C 2633 bytes
SHA-256: 089104e2ce7db4d3ba60ee32ee38df20535954a4a222326f11ca640f5d418521