Malicious RTF — malware analysis report

Static analysis result for SHA-256 54ead7edf6d8bd31…

MALICIOUS

RTF

899.7 KB Created: 2018-03-31 16:06:00 First seen: 2018-04-12
MD5: 53eb377aa14c4aa13420779024ebac1a SHA-1: 6829f415fc873fe2dcf0809a797ae5835c05da8d SHA-256: 54ead7edf6d8bd31993e6c3948978757222ac79ac183e7e784e7a437d50e4fd8
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 11 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c3e.bin rtf-objdata-decoded RTF \objdata at offset 0x2C3E 27707 bytes
SHA-256: 11c089c936274841ecf0387fa52d096bb183f77daaeecf2a1dfa05ccdaa2dc9a
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00016469.bin rtf-objdata-decoded RTF \objdata at offset 0x16469 27707 bytes
SHA-256: 4410110a692d80e8f5a928b7c80cf4e4f99b528b6da34b2817fdcbdd021f9f1a
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00029c94.bin rtf-objdata-decoded RTF \objdata at offset 0x29C94 27707 bytes
SHA-256: 44282f51de311a9e923836f8810466e04178d45dc4a4f9225684b1f88e468c34
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off0003d50e.bin rtf-objdata-decoded RTF \objdata at offset 0x3D50E 27707 bytes
SHA-256: 24235d45eec3c73d93f8a8377d05deef1db153c004ec998e5e136a3bb63c3ee0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00050d39.bin rtf-objdata-decoded RTF \objdata at offset 0x50D39 27707 bytes
SHA-256: 7b35d58923208c33ddb8b4b4bfc074727f0c0eb15ee2aa2a9bbcf4082d955a27
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00064564.bin rtf-objdata-decoded RTF \objdata at offset 0x64564 27707 bytes
SHA-256: 8b31d82ecaa66b50b49cffc5fc9488e6a1b612a69cd1effa1704d919b6a7d10b
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00077e38.bin rtf-objdata-decoded RTF \objdata at offset 0x77E38 27707 bytes
SHA-256: 267bd602e5a8bd7afd05fc10209ed551a9672f7ae8d4cc36e34642d3410b15cc
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off0008b7b9.bin rtf-objdata-decoded RTF \objdata at offset 0x8B7B9 27707 bytes
SHA-256: a773a4668b1a21a7d567870c0c9487bb7af99fb70da444672b1e73957edc37ed
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0009efe4.bin rtf-objdata-decoded RTF \objdata at offset 0x9EFE4 27707 bytes
SHA-256: 5af53e55943d9b683e096adfeaafd5352d986b2819e6115ee031396f24b83f51
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000b280f.bin rtf-objdata-decoded RTF \objdata at offset 0xB280F 27707 bytes
SHA-256: d93c8d6906ac52e7c11b27030a31f3923f3c1fc9882f8d5707c34ec3032f1531
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_10_off000c603a.bin rtf-objdata-decoded RTF \objdata at offset 0xC603A 27707 bytes
SHA-256: b1d095b204616e2796206d2e7af2c774219d583546dfa3916d63f646d1c0765e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely