Malicious RTF — malware analysis report

Static analysis result for SHA-256 53a06fd70807395c…

MALICIOUS

RTF

1.06 MB Created: 2018-04-18 02:09:00 First seen: 2019-04-17
MD5: 8f7a2c370e6a766a3db75f41ac32ad19 SHA-1: 000d3724b42dd333124cb14f682354ff1ccad30b SHA-256: 53a06fd70807395cb7a4533198ff59e0db481c21b33094fc682d7a0a9b1e83a4
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains numerous OLE objects and uses \objupdate to force OLE activation, strongly indicating exploitation of CVE-2017-8759. This vulnerability allows for arbitrary code execution when a vulnerable MSXML version processes the embedded OLE object, likely leading to the download and execution of a secondary payload. The presence of large hex data blocks within the OLE object further suggests the hiding of malicious content.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1024KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 14 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c9d.bin rtf-objdata-decoded RTF \objdata at offset 0x2C9D 26683 bytes
SHA-256: c3f7962da36c4a48535645a1aebbbb257052395a549e3ae1cc77f22ba6829073
objdata_01_off00015d29.bin rtf-objdata-decoded RTF \objdata at offset 0x15D29 26683 bytes
SHA-256: 9a6583e7c3f90510446f9a57c26dcc25d865f43414322dc40993405ab79c1aab
objdata_02_off000287d3.bin rtf-objdata-decoded RTF \objdata at offset 0x287D3 26683 bytes
SHA-256: 381c230d288c468b715cb90f63408668394d1c088b24647e4f532198bfc54603
objdata_03_off0003b27d.bin rtf-objdata-decoded RTF \objdata at offset 0x3B27D 26683 bytes
SHA-256: c283e497c69ce890b7df4f88b873ed6ef7a3c4d7bf18135a50b566fc03375bf9
objdata_04_off0004dd27.bin rtf-objdata-decoded RTF \objdata at offset 0x4DD27 26683 bytes
SHA-256: 26beb19dc5d7027918094fe182673230934754c827e7fc09e47bd2275147f508
objdata_05_off000607d1.bin rtf-objdata-decoded RTF \objdata at offset 0x607D1 26683 bytes
SHA-256: 1ad9c0881215ea48bb5ab616e64a07a3fcf1885a82706e69e1f8e3639b676bfc
objdata_06_off0007327b.bin rtf-objdata-decoded RTF \objdata at offset 0x7327B 26683 bytes
SHA-256: eba44b653694983883e1efd565a4e2337131a85706cb3adc2349a084c9741d52
objdata_07_off00085db9.bin rtf-objdata-decoded RTF \objdata at offset 0x85DB9 26683 bytes
SHA-256: 12357372c9cf1db85e131621b4217f60a74acf65cfae3ebfcd6b6ed5d4183ff6
objdata_08_off00098e45.bin rtf-objdata-decoded RTF \objdata at offset 0x98E45 26683 bytes
SHA-256: 48eed09474b9f8423444ffa4ac81796221d9e36dc8119544ca838d0ebcfd6ea1
objdata_09_off000ab8ef.bin rtf-objdata-decoded RTF \objdata at offset 0xAB8EF 26683 bytes
SHA-256: b3839f7366f3d6c7c93fc597b0f7a9b8aafe2126b29106ebc680665b23b58785
objdata_10_off000be399.bin rtf-objdata-decoded RTF \objdata at offset 0xBE399 26683 bytes
SHA-256: ef084d6c7d45f5f0a5876370945dbb39cbf20d49c1e9377867f46cc0ccfebed7
objdata_11_off000d0e43.bin rtf-objdata-decoded RTF \objdata at offset 0xD0E43 26683 bytes
SHA-256: 35d2c467c5fa6461b1e446b68004945d9deb8e2d3e28b62ff692a16593f308bb
objdata_12_off000e38ed.bin rtf-objdata-decoded RTF \objdata at offset 0xE38ED 26683 bytes
SHA-256: 8c8189cf142a299cc302168962cbe94bf3a173a343b41ec89538ca6bb09e2c2c
objdata_13_off000f6397.bin rtf-objdata-decoded RTF \objdata at offset 0xF6397 26683 bytes
SHA-256: eec5fbfbebb3cedb79df347ff5d8c359dd691a4ece7acd41195efbe837037b49