RTF malware analysis — malicious · 40c72b6a09101e0e

MALICIOUS

RTF

6.2 KB First seen: 2019-09-30

MD5: d4eb166abf94c27b982caffb4f874d4d SHA-1: d6c92d1f64afb6d6885a47e19576f566a0db8f16 SHA-256: 40c72b6a09101e0e4604fb83eb19eb773049fc338d1cd49221ab8e14339b9b61

122 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to execute embedded content. The critical heuristic firing for CVE-2017-0199 confirms the exploitation of a known vulnerability to fetch a remote resource from http://my.mixtape.moe/mlltbl.html, likely to download and execute a secondary payload.

Heuristics 4

CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199

RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://my.mixtape.moe/mlltbl.html In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000003c.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3C	3133 bytes
SHA-256: `e4e2f18ef695d703fd4b46caa1d280957f6c69dd61feededdb7d56c85680cf8b`

Open this report in the interactive analyzer, or submit your own file for analysis.