Malicious RTF — malware analysis report

Static analysis result for SHA-256 2752ed543f880807…

MALICIOUS

RTF

776.0 KB Created: 2017-11-10 22:42:00 First seen: 2017-12-24
MD5: 4a5f943cd792f3a1fc46bbe3c83344f6 SHA-1: 573d130a4a3d44bafaf451b1065fd4c3a012a3c7 SHA-256: 2752ed543f880807557ba9556838e4ef6a1582ea50351fc2723e4d63f4f57ad9
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. Crucially, the file is flagged for CVE-2017-8759, a vulnerability in MSXML that allows for OLE object activation. This suggests the file's primary purpose is to exploit this vulnerability to execute arbitrary code, likely by downloading and running a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a85.bin rtf-objdata-decoded RTF \objdata at offset 0x2A85 26171 bytes
SHA-256: ca67ac80d0c00591cca0fc1d1ac5867cce829b645acf738951ba7646b2cb4415
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off000150d2.bin rtf-objdata-decoded RTF \objdata at offset 0x150D2 26171 bytes
SHA-256: 03128cf63b9470fa3787c80fb319115f4010c18c9d5cf746e2fb754154df859b
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00027721.bin rtf-objdata-decoded RTF \objdata at offset 0x27721 26171 bytes
SHA-256: ff2f9493d2d4c32e287abc619c06f80cd3257b3ff10963b0ecd2ea90156b8d72
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off00039d70.bin rtf-objdata-decoded RTF \objdata at offset 0x39D70 26171 bytes
SHA-256: 4d2f44cedd126df047cde5e7ff41f6638cd6cb014acd1e1dc457146d0d4561d0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off0004c3bf.bin rtf-objdata-decoded RTF \objdata at offset 0x4C3BF 26171 bytes
SHA-256: eb27f6d0284c65351831933373e56aee285b72f140054ff3b6309f0465e998c3
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off0005ea0e.bin rtf-objdata-decoded RTF \objdata at offset 0x5EA0E 26171 bytes
SHA-256: 85d4fbb7c342d7debd249a77366ecfb6efb6197816ef998916445140da274444
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off0007105d.bin rtf-objdata-decoded RTF \objdata at offset 0x7105D 26171 bytes
SHA-256: 282d642c187459d4509ccb2d4603bc48fbfdb4093535a8efb44d0492ede54289
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off000836ac.bin rtf-objdata-decoded RTF \objdata at offset 0x836AC 26171 bytes
SHA-256: f56f6810661fb244fbc4250519655a6b7bb4abac914084bde8e285d029a3cf7f
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00095cfb.bin rtf-objdata-decoded RTF \objdata at offset 0x95CFB 26171 bytes
SHA-256: 4d308970698b2cc98707fc7656ab63edb154c48a8cdd88a2b0eb9521e23f5818
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000a834a.bin rtf-objdata-decoded RTF \objdata at offset 0xA834A 26171 bytes
SHA-256: cb99d9a697a1c94708580e6de919fd8f73d2921f00edfbf4320b1b25c915ed2a
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely