Malicious RTF — malware analysis report

Static analysis result for SHA-256 3cb31e678f510daf…

MALICIOUS

RTF

923.4 KB Created: 2018-04-24 11:33:00 First seen: 2018-07-04
MD5: 059682692cbd61194e609f8edb82ded2 SHA-1: f2f6bb2ee51d664941e67cad0d352305eeb4a64f SHA-256: 3cb31e678f510daf7bb47b4d8b13cfafbc3fba68b5c09b8ce9f42853e8fd19f5
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with one specifically triggering an update via \objupdate. This activity is strongly indicative of exploitation for client execution, leveraging the CVE-2017-8759 vulnerability in MSXML SAX OLE activation. The ClamAV detection of 'Doc.Dropper.Agent-6547890-0' further confirms its malicious nature as a dropper.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6547890-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6547890-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c4c.bin rtf-objdata-decoded RTF \objdata at offset 0x2C4C 31803 bytes
SHA-256: d9da119c92ce1eed47c6dfda4418113dd5779b456efb0bb1ab787f89c0a17317
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_01_off0001806f.bin rtf-objdata-decoded RTF \objdata at offset 0x1806F 31803 bytes
SHA-256: 3ccfc27fd502fc3f4dcd504705a3dc16d014c678411fcb6a1f60e4c24e14898d
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_02_off0002d492.bin rtf-objdata-decoded RTF \objdata at offset 0x2D492 31803 bytes
SHA-256: 0dc80f2a3d4766f9da4e52eedb0d7a61877280cb68694a88c46a2860c96c59b5
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_03_off000428b5.bin rtf-objdata-decoded RTF \objdata at offset 0x428B5 31803 bytes
SHA-256: 5281ea5624a71ea02a392e92184d2abd5655aaf1e29baec33a7a0afa4dd69e7c
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_04_off00057cd8.bin rtf-objdata-decoded RTF \objdata at offset 0x57CD8 31803 bytes
SHA-256: dd5f9d8065620479514e3df3e1f7afe7daf6f9e928c40ec19dd6bb2efb8ed65b
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_05_off0006d102.bin rtf-objdata-decoded RTF \objdata at offset 0x6D102 31803 bytes
SHA-256: 9c8c644b66204f3084e67fd4caffab291a22e5951a825f4014c03304f451cf40
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_06_off00082525.bin rtf-objdata-decoded RTF \objdata at offset 0x82525 31803 bytes
SHA-256: 21ac74f7f97c90ea16adb979bde09f0e287e2f76ee3f7fbbdf713d8cf19dcb8c
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_07_off00097948.bin rtf-objdata-decoded RTF \objdata at offset 0x97948 31803 bytes
SHA-256: 87d6889b5c121c7fb5cc26192a4b5c7ceb90c84ab59b2a11aed990d818f9ea73
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_08_off000acd6b.bin rtf-objdata-decoded RTF \objdata at offset 0xACD6B 31803 bytes
SHA-256: 4ef56078d9d1ce9761bb4756c66f8171afb70fefe92f076b212ae233e802e490
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely
objdata_09_off000c218e.bin rtf-objdata-decoded RTF \objdata at offset 0xC218E 31803 bytes
SHA-256: 34558229a2dc4064fb0964b80b4271e32c41b06471b24436abaeaf20b3f31b5d
Detection
ClamAV: Doc.Dropper.Agent-6547890-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.