Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5a35676907418192…

MALICIOUS

RTF / .DOC

132.8 KB Created: 2013-11-20 19:05:00
MD5: 03c1167136ce71a9d0e00ca1557f4031 SHA-1: c329007ffd918651b7f93704230a11de66930b54 SHA-256: 5a3567690741819288d6215b5ce67d3e3e02a5c79d600aa8c00e2256a5508170
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains embedded OLE objects and triggers the CVE-2017-8759 vulnerability. This vulnerability is known to be used to download and execute arbitrary code from a remote URL. The embedded URL http://199.103.63.221/progsKK/All.exe is highly suspicious and likely serves as the download location for a second-stage payload.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://199.103.63.221/progsKK/All.exe
    • http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002b1e.bin
1ff6a6ea1a94854ed5f0c76d723b7cc06d19ba81292f995125b5a65d16e85b8a		 rtf-objdata-decoded RTF \objdata at offset 0x2B1E 1871 bytes
objdata_01_off0000b42d.bin
fa4620f16896c6aedf915a78615720d9af6a19fd12932253a8d8476f41387b83		 rtf-objdata-decoded RTF \objdata at offset 0xB42D 1801 bytes
objdata_02_off00013a4c.bin
795724fd7f9630f93e759a1d179a6a8043897763b0725aac57b6fd0a7649ffc7		 rtf-objdata-decoded RTF \objdata at offset 0x13A4C 1831 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.