Malicious RTF — malware analysis report

Static analysis result for SHA-256 2f0c16705083966f…

MALICIOUS

RTF

737.1 KB Created: 2018-05-02 19:58:00 First seen: 2019-04-18
MD5: 8d6e6213d80c43cfdf42b1ee27037634 SHA-1: 74e1d883d38082f75c5318606bdf68106a7a4fd5 SHA-256: 2f0c16705083966f58848270cb8c923644540c79f9ae4130ebef04ab5446a508
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c17.bin rtf-objdata-decoded RTF \objdata at offset 0x2C17 24123 bytes
SHA-256: c13741b023b00a608e53c13a46e9ddeff777ea9ca4ac87b11ab50d8e0b325a70
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off0001429d.bin rtf-objdata-decoded RTF \objdata at offset 0x1429D 24123 bytes
SHA-256: aa68713a695ac3411d8e38f8eb941d37626e47068e456f303c57a3d82df792c0
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off00025923.bin rtf-objdata-decoded RTF \objdata at offset 0x25923 24123 bytes
SHA-256: 910f5d8e77b9484380f7e9819f908c5faceb2f3458b5a4d5be067cdbd7f126b6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00036fa9.bin rtf-objdata-decoded RTF \objdata at offset 0x36FA9 24123 bytes
SHA-256: b0f5ea892f03f745e12959313824ae85d8b01fd6aa5d31da976b9467a1150022
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0004862f.bin rtf-objdata-decoded RTF \objdata at offset 0x4862F 24123 bytes
SHA-256: 4f37e3767e6630e6f7ffbf5687354c0d3f6d5a6fe0b8141c6e980b1df6ef3090
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off00059cff.bin rtf-objdata-decoded RTF \objdata at offset 0x59CFF 24123 bytes
SHA-256: 5e0a2f1e25ffd14c1804f349a24a46dbe12a04be5ac6215cd7c216d2eb264e9f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006b385.bin rtf-objdata-decoded RTF \objdata at offset 0x6B385 24123 bytes
SHA-256: 582877d5d89b1270f5cab97b115ea865b796be7579fb5b1c918bf7f6d0c6082a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007ca0b.bin rtf-objdata-decoded RTF \objdata at offset 0x7CA0B 24123 bytes
SHA-256: acaaa97df1133f901aed749ea6baad6f98e78dc8116c10c3efe6c549a298ca52
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off0008e091.bin rtf-objdata-decoded RTF \objdata at offset 0x8E091 24123 bytes
SHA-256: 455d3596c560aaa051fb41ef0c9c991e9fa740f65f421c77ff36e113c8027f3f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off0009f717.bin rtf-objdata-decoded RTF \objdata at offset 0x9F717 24123 bytes
SHA-256: c81a2abe81dddc738440f5c967e66161ba72dd8d609592d0ad0fa0f82bc7be58
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely