Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2fd2c47bfccc58b2…

MALICIOUS

RTF / .DOC

41.8 KB Created: 2020-03-25 12:01:00
MD5: 298a72d0fdbccc6197437190f1e2576d SHA-1: f129b07a0b478c928e508c3c41da4e2e366cc16b SHA-256: 2fd2c47bfccc58b26c302758639cf48c087e1115b7e8dc466e81262fb422318e
440 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.001 Command and Scripting Interpreter: PowerShell

The RTF document contains embedded OLE objects and is configured to automatically update and activate them, exploiting CVE-2017-8570. It also includes a lure to enable editing and content, which is a common technique for malware droppers. The presence of suspicious cmd.exe and PowerShell references further indicates malicious intent, likely to download and execute a second-stage payload.

Heuristics 12

  • CVE-2017-8570 (Composite Moniker + scriptlet payload) critical CVE likely CVE_2017_8570
    RTF contains Composite Moniker CLSID together with nearby scriptlet/SCT payload evidence, matching the CVE-2017-8570 exploit shape.
  • ClamAV: Xml.Malware.Squiblydoo-6728833-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Malware.Squiblydoo-6728833-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/offic

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008ad5.bin
afb4805a0e73a5c5a331afbc08ac94abec509440858876adb9d0c9de42d35f73		 rtf-objdata-decoded RTF \objdata at offset 0x8AD5 935 bytes
Detection
ClamAV: Xml.Malware.Squiblydoo-6728833-0
Obfuscation or payload: unlikely
objdata_01_off0000926b.bin
0dd01aeae473da2d19a17997ece9c06c6d52f7fac2cc857ed1a0e3d9f2561f2d		 rtf-objdata-decoded RTF \objdata at offset 0x926B 2633 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.