Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 489bed27c0f88dff…

MALICIOUS

RTF / .DOC

1.94 MB Created: 2019-09-17 13:59:00
MD5: e154c9b4a2baae06e07cf675a6bfbfbb SHA-1: 7adaef58941764dc495919603c75fa237293650c SHA-256: 489bed27c0f88dff5c5c16102f07b6b53cb6261f92c4f7360ec10d631855609a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains critical heuristic firings for RTF_EQUATION_EDITOR and CVE_2017_8759, indicating exploitation of a known vulnerability in Microsoft Equation Editor. The presence of OLE object data and an ".objupdate" directive further suggests that the document is designed to activate and execute embedded malicious content. The primary attack vector is likely the exploitation of CVE-2017-8759, leading to arbitrary code execution.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off001e912d.bin
2c67e4feaaf6ffc057c8364e455ac05f0635ea396bcd15eae4ce12893fcd6f6b		 rtf-objdata-decoded RTF \objdata at offset 0x1E912D 3739 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.