Malicious RTF — malware analysis report

Static analysis result for SHA-256 3f657a473761a5d1…

MALICIOUS

RTF

2.25 MB Created: 2019-01-03 16:34:00 First seen: 2019-04-18
MD5: 2a003038e2df248ae57d59b5bdb61b22 SHA-1: 35bd2e4c592d277ce731b74ffee5d2393c343f71 SHA-256: 3f657a473761a5d1d597f2c49a002fcbb9f4b182da9e6e92db95913152b4d02d
282 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1027 Obfuscated Files or Information

The RTF file contains multiple OLE objects and excessive hex-encoded data, strongly indicating the presence of embedded shellcode. The critical heuristic firing for CVE-2017-8759 confirms a known exploit for MSXML SAX OLE activation, which is likely used to execute the shellcode. The extracted artifacts, objdata_00_off00002a17.bin and objdata_01_off00220bd6.bin, are the likely locations of this shellcode.

Heuristics 8

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~2111KB of hex-encoded data inside \objdata sections — may hide a payload
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a17.bin rtf-objdata-decoded RTF \objdata at offset 0x2A17 1055487 bytes
SHA-256: 5e4ad9d7f9b15f63f8c4372c77a008d0d2d392849c9a15c3ed507f80782a3dc4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04, SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT Static shellcode analysis recovered API/import strings: GetProcAddress, VirtualAlloc, VirtualProtect, kernel32.dll, KERNEL32.DLL, LoadLibraryA Carved artifact entropy is 7.64, consistent with packed or encrypted content.
objdata_01_off00220bd6.bin rtf-objdata-decoded RTF \objdata at offset 0x220BD6 203 bytes
SHA-256: fd5fc80e6c68e8ffa6f50b5ff55bde057f98ec8a01f313d16bc553677b92d292
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL Static shellcode analysis recovered command string(s): CmD /c %tMp%\A.R

Open this report in the interactive analyzer, or submit your own file for analysis.