MALICIOUS
522
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains multiple indicators of malicious activity, including OLE object data, composite monikers, and embedded PE headers, strongly suggesting the exploitation of CVE-2017-8570. ClamAV detections for 'Win.Trojan.Agent-6580303-0' and 'Xml.Malware.Squiblydoo-6728833-0' on an extracted artifact further confirm its malicious nature. The file likely acts as a dropper for a trojan payload.
Heuristics 12
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Win.Trojan.Agent-6580303-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-6580303-0
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1938KB of hex-encoded data inside \objdata sections — may hide a payload
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
OLE object data medium RTF_OBJDATARTF contains 6 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.cnarc.info/index.php%20%20/organization In RTF body
- https://www.cnarc.info/index.php}{In RTF body
- http://afops.orgIn RTF body
- https://pag.arcticportal.org/about-pagIn RTF body
- http://english.gov.cn/archive/publications/2017/06/20/content_281475691873460.htmIn RTF body
- http://www.scio.gov.cn/zfbps/32832/Document/1618243/1618243.htmIn RTF body
- http://www.fmprc.gov.cnIn RTF body
- http://www.china.org.cn/node_7247529/content_40569136.htmIn RTF body
- https://www.cryopolitics.com/2015/06/23/the-donut-hole-at-the-center-of-the-arctic-ocean/In RTF body
- http://newsnowfinland.fi/news-now-original/the-ice-dragon-cometh-chinas-arctic-ambitionsIn RTF body
- https://gbtimes.com/china-finland-in-talks-about-arctic-telecom-cableIn RTF body
- http://www.tpk.fi/public/default.aspx?contentid=360378&culture=en-USIn RTF body
- http://www.usertrust.com1In RTF body
- http://ocsp.usertrust.com0In RTF body
- https://secure.comodo.net/CPS0CIn RTF body
- http://ocsp.comodoca.com0In RTF body
- http://www.csis.org/In RTF body
- https://www.adn.com/politics/2017/11/08/report-alaska-gas-line-agency-signs-agreement-with-chinese-oil-company-financial-institutions/In RTF body
- https://www.adn.com/politics/2017/11/08/report-alaska-}{}}}{In RTF body
- https://www.bloomberg.com/news/articles/2017-10-26/china-to-get-first-yamal-lng-cargo-as-russia-says-thank-youIn RTF body
- https://www.bloomberg.com/news/articles/2017-10-26/china-to-get-first-yamal-lng-cargo-as-russia-says-thank-}{}}}{In RTF body
- https://www.loc.gov/law/help%20/us-treaties/bevans/m-ust000002-0269.pdfIn RTF body
- https://www.loc.gov/law/help}{In RTF body
- https://csis-prod.s3.amazonaws.com/s3fs-public/publication/171027_Conley_MaritimeFutures_Web.pdf?mHPGy0uKqRMcek0zw6av5jI332MeELk5In RTF body
- https://csis-prod.s3.amazonaws.com/s3fs-}{}}}{In RTF body
- https://thebarentsobserver.com/en/arctic/2017/09/chinese-company-cosco-confirms-interest-trans-arctic-shipping-arkhangelskIn RTF body
- https://thebarentsobserver.com/en/arctic/2017/09/chinese-company-cosco-}{}}}{In RTF body
- https://af.reuters.com/article/commoditiesNews/idAFL8N15P1OKIn RTF body
- https://www.ft.com/content/22842e82-9979-11e4-a3d7-00144feabdc0In RTF body
- http://www.miningweekly.com/article/greenland-minerals-teams-up-with-shenghe-on-kvanefjeld-development-2016-09-23/rep_id:3650In RTF body
- http://www.miningweekly.com/article/greenland-minerals-teams-up-with-shenghe-on-}{}}}{In RTF body
- https://thediplomat.com/2015/05/china-iceland-and-the-arctic/In RTF body
- https://thediplomat.com/2015/05/china-}{}}}{In RTF body
- https://qz.com/176908/the-chinese-property-tycoon-who-wanted-to-buy-a-chunk-of-iceland-may-settle-for-norway/In RTF body
- https://qz.com/176908/the-chinese-property-tycoon-who-wanted-to-buy-a-chunk-of-iceland-}{}}}{In RTF body
- http://www.nytimes.com/2013/04/16/business/global/16iht-iceland16.htmlIn RTF body
- https://thebarentsobserver.com/en/arctic/2017/10/chinas-arctic-road-and-belt-gambitIn RTF body
- https://gov.alaska.gov/newsroom/2017/11/presidents-trump-and-xi-witness-historic-signing-of-joint-development-agreement-for-alaska-lng/In RTF body
- https://gov.alaska.gov/newsroom/2017/11/presidents-}{}}}{In RTF body
- https://www.state.gov/e/oes/ocns/opa/rls/276136.htmIn RTF body
- http://schemas.microsoft.com/windows/2004/02/mit/taskIn RTF body
- http://www.w3.org/2001/XMLSchemaIn RTF body
- http://schemas.microsoft.com/windows/2004/02/mit/taskTIn RTF body
- https://taskscheduler.codeplex.com/In RTF body
- http://crl.usertrust.com/UTN-USERFirst-Object.crl05In RTF body
- http://crl.comodoca.com/COMODORSACodeSigningCA.crl0tIn RTF body
- http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$In RTF body
- http://crl.comodoca.com/COMODORSACertificationAuthority.crl0qIn RTF body
- http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$In RTF body
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0021906e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x21906E | 1093333 bytes |
SHA-256: f4df80a38e2e28fbddf88d9856a4d2932afe863fc66f1dd0b757ba1c58211fbb |
|||
objdata_01_off0042ee57.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x42EE57 | 707 bytes |
SHA-256: e60b6b27cf314e7b5f8edd9ff69e062f2d3f8b2408da6d926d66508ba1fd065f |
|||
|
Detection
ClamAV:
Xml.Malware.Squiblydoo-6728833-0
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell").Run("cmd /c %tmp%\\qrat.exe",0,false);
|
|||
objdata_02_off0042f42c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x42F42C | 2633 bytes |
SHA-256: 089104e2ce7db4d3ba60ee32ee38df20535954a4a222326f11ca640f5d418521 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.