Malicious RTF — malware analysis report

Static analysis result for SHA-256 2f7a692336bad584…

MALICIOUS

RTF

973.7 KB Created: 2018-04-25 01:40:00 First seen: 2020-02-04
MD5: 7883835d2113076d06ee9ed31c8fbe36 SHA-1: 89552e7ef6a7553ba82b95a4c1ca961aca2bdb09 SHA-256: 2f7a692336bad584347b3b98ebeeaa93822734eed1c009e76dc8322019e835c6
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002ccf.bin rtf-objdata-decoded RTF \objdata at offset 0x2CCF 31803 bytes
SHA-256: 2a743329a228c86871937ccef53ec5ecf1f3661b4844282b10ab8dbe4d2be53c
objdata_01_off0001a2d6.bin rtf-objdata-decoded RTF \objdata at offset 0x1A2D6 31803 bytes
SHA-256: 2af2d4fd587a7df7c9bccd071453bc098192ede13c4cfa4743c72a6911b96d76
objdata_02_off0002f840.bin rtf-objdata-decoded RTF \objdata at offset 0x2F840 31803 bytes
SHA-256: 5a0484c5cccdbaf779c1ac3f698b4c21e0c607deb8693936988a6122647adbaa
objdata_03_off00044da8.bin rtf-objdata-decoded RTF \objdata at offset 0x44DA8 31803 bytes
SHA-256: c9f49d58bbce7c7218898390d36a8cb161574f6245a7f0faa3cd67a1340e56f5
objdata_05_off0006f878.bin rtf-objdata-decoded RTF \objdata at offset 0x6F878 31803 bytes
SHA-256: d91900956d34ca0f85bbfc7990c4f23006bd059785cce5327caeaf8b7ae9f8e1
objdata_07_off0009a348.bin rtf-objdata-decoded RTF \objdata at offset 0x9A348 31803 bytes
SHA-256: 0a048131af16d48aa1f37499c156f521660618254d2ba717717db3dbde92a034
objdata_08_off000af8b0.bin rtf-objdata-decoded RTF \objdata at offset 0xAF8B0 31803 bytes
SHA-256: 456f0809d9d26f20f1ac61d0d6b5b4c295facec5134ebd2de2746663bd262887
objdata_09_off000c4e18.bin rtf-objdata-decoded RTF \objdata at offset 0xC4E18 31803 bytes
SHA-256: 6f7abc3ac266837dc59db1fb9b42781f7f3bd236014bb318780da5238027b235

Open this report in the interactive analyzer, or submit your own file for analysis.