Malicious RTF — malware analysis report

Static analysis result for SHA-256 2e8eb362c0f51b92…

MALICIOUS

RTF

173.1 KB Created: 2013-09-02 18:24:00 First seen: 2020-07-24
MD5: 574c0c60df82b3d79937eaacddf83e3d SHA-1: dea0e257d1cb4e1dae062dc3877d3111b4773eee SHA-256: 2e8eb362c0f51b92fec162c220a34c97bcacf2d54af09f5e37f0917a920a0b40
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers the ".objupdate" directive, which forces OLE activation. The critical heuristic firing for CVE-2017-8759 indicates exploitation of MSXML SAX OLE activation. This suggests the document is designed to exploit this vulnerability to execute arbitrary code, likely by downloading and running a second-stage payload.

Heuristics 4

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00011b76.bin rtf-objdata-decoded RTF \objdata at offset 0x11B76 45308 bytes
SHA-256: 13f30052964403e3a7fed3515c97e464f213cc25022815cb9c2eef1eac97027c
objdata_01_off00027d94.bin rtf-objdata-decoded RTF \objdata at offset 0x27D94 6847 bytes
SHA-256: a1fb4393faca0e534a7e9a9d9da49fac0d334accf172a6066859a726dc5fe7b8
objdata_02_off00027dae.bin rtf-objdata-decoded RTF \objdata at offset 0x27DAE 6843 bytes
SHA-256: 8eca43c06a36e7ff44d4af16b08dc92196dfdd3e4ab0c799623c9327ea97e45c