Malicious RTF — malware analysis report

Static analysis result for SHA-256 578733de1af1f157…

MALICIOUS

RTF

44.4 KB Created: 2017-11-15 23:09:00 First seen: 2017-11-20
MD5: 1083142df3d30947359d266933079578 SHA-1: 31333a1c3f2e0ba792b8ee886afc5b6d7e92255d SHA-256: 578733de1af1f1577a00948f0fa88867528da0f3a009fbc821c7d5c86390b8c3
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an OLE object that exploits CVE-2017-0199, a known vulnerability for remote code execution. The embedded URL 'http://185.24.233.170/1/jud.doc' is likely the source of a secondary payload. The document also contains a lure to enable editing, indicating a user interaction is expected to trigger the exploit.

Heuristics 5

  • CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199
    RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://185.24.233.170/1/jud.doc In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000338d.bin rtf-objdata-decoded RTF \objdata at offset 0x338D 3640 bytes
SHA-256: ecadd2073951c1fa226f403b703e992dd29adf43ae944c58602e71d2a4ca30eb