RTF malware analysis — malicious · 24ba5b21ec6a6f79

MALICIOUS

RTF

745.0 KB Created: 2019-08-01 11:11:00 First seen: 2020-06-01

MD5: 44772dbcc84742afb82e1c61d77777dc SHA-1: 6ffa57f650ee48fe715c322c4698b87c3cd9d452 SHA-256: 24ba5b21ec6a6f7960834760cde89f208e473d23965600b9cfb89e1883ec243a

222 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with one specifically triggering activation via \objupdate. The critical finding is the exploitation of CVE-2017-8759, which involves MSXML SAX OLE activation. This technique is commonly used to download and execute malicious payloads. No document body or scripts were extracted, but the OLE object structure and the CVE exploit strongly indicate a malicious intent to execute arbitrary code.

Heuristics 7

CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
OLE object data medium RTF_OBJDATA

RTF contains 3 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000028f8.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x28F8	108078 bytes
SHA-256: `ede0d0eba51bd6400cecfa07364b1e385edd36ddfb1eecdcc2e19a14845af289`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_01_off0003d43d.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3D43D	108078 bytes
SHA-256: `ed46299a372c0f6f16a9886d71b6d4061f2234641143b17520ae52203c663966`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_02_off00077f82.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x77F82	108078 bytes
SHA-256: `89a339fc83ab6739dd922db0ee10347c901d4153e68a498b6a01244e95d8c467`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.