Malicious RTF — malware analysis report

Static analysis result for SHA-256 240cc91182069037…

MALICIOUS

RTF

634.6 KB Created: 2013-03-13 17:07:00 First seen: 2019-05-31
MD5: 8c06aec37c7e51f581aaa41f66d4ebad SHA-1: 78c87d227407cfe0428abb149de58cb4aea6c520 SHA-256: 240cc911820690373851423dece631049c969c1b59f99b9e888f2e890e345825
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple heuristics indicating exploitation of CVE-2012-0158, a known vulnerability in MSCOMCTL.TreeView. This vulnerability is often leveraged to execute arbitrary code. The file also contains an embedded encrypted payload, further suggesting its role as a dropper for malicious content. The ClamAV detection as Rtf.Dropper.Agent-6320192-0 reinforces this assessment.

Heuristics 6

  • MSCOMCTL.TreeView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.TreeView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • CVE-2012-0158 RTF embedded encrypted payload high CVE related RTF_CVE_2012_0158_EMBEDDED_PAYLOAD
    The CVE-2012-0158 document embeds a large high-entropy binary blob — the encrypted/packed second-stage payload the exploit shellcode drops and runs. Hex-encoded object data cannot reach this entropy, so the region is genuine binary, not markup. The payload is encrypted in the file, so it is surfaced as an IOC (offset, size, SHA-256) rather than a decoded executable.
  • ClamAV: Rtf.Dropper.Agent-6320192-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-6320192-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002f06.bin rtf-objdata-decoded RTF \objdata at offset 0x2F06 60541 bytes
SHA-256: f5bdfc21b803a49306e9b785eb35d9e03308edee8de94ae1cf44b02ab4b1fcdb
objdata_01_off0003d807.bin rtf-objdata-decoded RTF \objdata at offset 0x3D807 20196 bytes
SHA-256: 031644294be806fef26bd8734eab51a467c7c4c4c82b1942065d4fe00d0d13b7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS
objdata_02_off0003d827.bin rtf-objdata-decoded RTF \objdata at offset 0x3D827 20190 bytes
SHA-256: d95b42602f02eb390f69dfd73864c1966b43a54a2eca08a5c0f0faa98d2707b7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS