Malicious RTF — malware analysis report

Static analysis result for SHA-256 3f65d6b98a39d20f…

MALICIOUS

RTF

737.1 KB Created: 2018-04-27 02:53:00 First seen: 2018-07-04
MD5: 4b45374065a61d4a5335e780742b9125 SHA-1: d7157f87ae8f8b635cb6ae333b63b6d16f8d1cea SHA-256: 3f65d6b98a39d20f5a224b58247f6511805c6059a7cd2f96d38ce025a191b9d3
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c15.bin rtf-objdata-decoded RTF \objdata at offset 0x2C15 24123 bytes
SHA-256: 36e7e4680d56a5645a3fe030ade6349803d50be06592600f5a7763055d57190f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0004863d.bin rtf-objdata-decoded RTF \objdata at offset 0x4863D 24123 bytes
SHA-256: cb2176b98f33d45bbe695e6c1ef02d5b31894db65ff92c8e3f1df24e7f5b5ce9
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off00059d13.bin rtf-objdata-decoded RTF \objdata at offset 0x59D13 24123 bytes
SHA-256: f932b85742dde39c0a8c5073b9cf987e6853b7f1e46446090f94f85290681cc9
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006b39d.bin rtf-objdata-decoded RTF \objdata at offset 0x6B39D 24123 bytes
SHA-256: bb196d1390ddfef311b17e84c13d45d8ef229cef39c0eb618297c24ad8ef22f3
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.