Malicious RTF — malware analysis report

Static analysis result for SHA-256 50fa2135f4f1ee8c…

MALICIOUS

RTF

918.5 KB Created: 2018-05-10 15:35:00 First seen: 2018-06-14
MD5: 1c91f62c513206ca6d899326cdd0e7e5 SHA-1: dbd5d899294955232f8c9a38f6f77ce85f067270 SHA-256: 50fa2135f4f1ee8cca42e72c0e3163cd592d773b2132c1569411e90989c3a55a
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c1d.bin rtf-objdata-decoded RTF \objdata at offset 0x2C1D 33339 bytes
SHA-256: 9c7c29df8a4169c68dadbdbc872852ddc2cd43a0a8f436419e8331f321f64ec1
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b39.bin rtf-objdata-decoded RTF \objdata at offset 0x18B39 33339 bytes
SHA-256: 1c888453c9503496ad9650fce98a543b4e50ee3d06c8d1ca72b7a1da55d1197a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea55.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA55 33339 bytes
SHA-256: cb4cbdd44b333e2551bdb00eefe76325cadd4be91f1ff183e13d7dee0be5cdc6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044971.bin rtf-objdata-decoded RTF \objdata at offset 0x44971 33339 bytes
SHA-256: 82a0885f330058e070544c43085a698d606a8a2ef4a50756b78a8210e5078fc5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a88d.bin rtf-objdata-decoded RTF \objdata at offset 0x5A88D 33339 bytes
SHA-256: 449b7bce69bcbd6a5254c67c7e6b5cbbddf6c83303d87afdcf0357cdd8e85108
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707f5.bin rtf-objdata-decoded RTF \objdata at offset 0x707F5 33339 bytes
SHA-256: 488fae9d012ad0dc632b30c790f06d39ff40b199f419266953d2c992c21e7fae
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off00086711.bin rtf-objdata-decoded RTF \objdata at offset 0x86711 33339 bytes
SHA-256: f631352fbaacf98b386701ee1ec6d8e9d6c1b9bf54bce44032b033e8bf7866c3
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c62d.bin rtf-objdata-decoded RTF \objdata at offset 0x9C62D 33339 bytes
SHA-256: 7c883a4e5703776ff6eef455082858aa8ba9966c71c8e5bd21c7ac6ca0cf7d63
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b2549.bin rtf-objdata-decoded RTF \objdata at offset 0xB2549 33339 bytes
SHA-256: 2bfc3147987dfbc89a4cf32395725160aff21636a9d82ec62fea38e73039e6d8
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c8465.bin rtf-objdata-decoded RTF \objdata at offset 0xC8465 33339 bytes
SHA-256: 151ed9ce8fee4a8b1d40b6766e9e69d0cdae3f755d1360cd8813485422f821fc
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely