Malicious RTF — malware analysis report

Static analysis result for SHA-256 2791505621f65a36…

MALICIOUS

RTF

736.9 KB Created: 2018-05-02 20:19:00 First seen: 2019-04-17
MD5: baa74a1697dd9bbae2e46d8af67ad208 SHA-1: ef499844d8af5166d3e64388cb7bb0112eea6074 SHA-256: 2791505621f65a3640d1f758a04dc095e71e16e213c824c65a2f38c0ac776051
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c16.bin rtf-objdata-decoded RTF \objdata at offset 0x2C16 24123 bytes
SHA-256: 63b2554dbdbb4bc3a7d8984ea93ca03d6b1ef480b63e5443893544e1924b6d87
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off0001429c.bin rtf-objdata-decoded RTF \objdata at offset 0x1429C 24123 bytes
SHA-256: 8f79b49f2e2211734a084686662a547ff16f1d419be6f69d4a12cc55c4c48665
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off00025922.bin rtf-objdata-decoded RTF \objdata at offset 0x25922 24123 bytes
SHA-256: 7be620ad28422773c823a4b88c0551c4d7defc93f0119e2c6ca486807f074603
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00036fa8.bin rtf-objdata-decoded RTF \objdata at offset 0x36FA8 24123 bytes
SHA-256: 5d9433f48d07784ee3b8c20a0620de17cdf598a24ad8f8c77cb73e93236a7e07
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0004862e.bin rtf-objdata-decoded RTF \objdata at offset 0x4862E 24123 bytes
SHA-256: 9d85798a3305351b15465bfa6cdb62e6f34b6fb8fb8430a1cd34485545de9485
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off00059cb4.bin rtf-objdata-decoded RTF \objdata at offset 0x59CB4 24123 bytes
SHA-256: 2cc9a34d3c3c195b1c546df6289e414310209703741e48842a9c2d804a7f3860
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006b33a.bin rtf-objdata-decoded RTF \objdata at offset 0x6B33A 24123 bytes
SHA-256: 6b66e55ff72cafb4cdacd44717c5a3a82ec427523698e924248b7d89ea16ff42
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007c9c0.bin rtf-objdata-decoded RTF \objdata at offset 0x7C9C0 24123 bytes
SHA-256: 9df616217b12d0dc91eb774b2b902c8013adb1774a231d1021ff8760a8c7e01d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off0008e046.bin rtf-objdata-decoded RTF \objdata at offset 0x8E046 24123 bytes
SHA-256: c536e2137161ffde13c6014e15ce646b01f11c04413d6696a6ccf1a9a38aedf3
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off0009f6cc.bin rtf-objdata-decoded RTF \objdata at offset 0x9F6CC 24123 bytes
SHA-256: acf4e94c9c0dad91ddbccafaf5fa766afb6badbe8d3b45b5e0220c35c9eeda57
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely