Malicious RTF — malware analysis report

Static analysis result for SHA-256 573fced8e1da77cc…

MALICIOUS

RTF

1.15 MB First seen: 2020-02-04
MD5: f422bc9c0d0b9d80d09ee1fc7aed3682 SHA-1: f0ca53524f9c3e60e6dbce70d4c53007c15237e0 SHA-256: 573fced8e1da77ccf56fb9d4c9aef358e722a08ff824d852fc76e04e952ffece
480 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and is flagged for exploiting CVE-2017-8570, which is known to drop SCT scripts. The presence of PE headers within the hex data and ClamAV detections (Xml.Malware.Squiblydoo-6728833-0) further indicate malicious intent. The extracted artifact objdata_01_off0012524c.bin is likely the dropped script that facilitates execution.

Heuristics 10

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: Xml.Malware.Squiblydoo-6728833-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Malware.Squiblydoo-6728833-0
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1199KB of hex-encoded data inside \objdata sections — may hide a payload
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000451.bin rtf-objdata-decoded RTF \objdata at offset 0x451 599774 bytes
SHA-256: 7e5f37072954ec17ed87d4777fb5614745baad32681684f18d5c1dbe6a93cdd2
objdata_01_off0012524c.bin rtf-objdata-decoded RTF \objdata at offset 0x12524C 708 bytes
SHA-256: 9461022a876c2af4cc6fd592b223a6084fefa707f12b097e0150d523eb4ce080
Detection
ClamAV: Xml.Malware.Squiblydoo-6728833-0
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell").Run("cmd /c %tmp%\\Setup.exe",0,false);
objdata_02_off00125823.bin rtf-objdata-decoded RTF \objdata at offset 0x125823 2633 bytes
SHA-256: afb1fcfae81159c9f1f429837968cbc51f9f2daa822a906351cb759918713671

Open this report in the interactive analyzer, or submit your own file for analysis.