Malicious RTF — malware analysis report

Static analysis result for SHA-256 5bb9c71f4cc58a7f…

MALICIOUS

RTF

42.8 KB Created: 2020-03-25 12:01:00
MD5: c1ee4ae400f65fab735d1395cda1b2c6 SHA-1: 327f6e3a619b61c3d7dfeabed4b9dd56864c2e75 SHA-256: 5bb9c71f4cc58a7f3d1f22966cdf089575a4cac573039a194220c7a51e4e1f2d
442 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The RTF file contains OLE objects and is flagged for CVE-2017-8570, which is known to drop SCT scripts. The document body explicitly prompts the user to 'enable Editing and Content', a common lure for macro-enabled malware. The presence of cmd.exe and PowerShell references, along with the CVE exploit, suggests the file is designed to download and execute a second-stage payload from the identified URLs.

Heuristics 12

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: Xml.Malware.Squiblydoo-6728833-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Malware.Squiblydoo-6728833-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://t.awcna.com/mail.jsp?doc*%username%*%computername%\
    • http://t.awcna.com/7p.php\
    • http://schemas.microsoft.com/offic

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008a24.bin
f5037dd969f41b0cb6fc817874d2a6be046c2aa7d8149888edae0781264a4c2c		 rtf-objdata-decoded RTF \objdata at offset 0x8A24 1544 bytes
Detection
ClamAV: Xml.Malware.Squiblydoo-6728833-0
Obfuscation or payload: unlikely
objdata_01_off0000967c.bin
449ee00b6af5f912748bc4b356c5ca5667aad28a6b3e9ac541e49bb5fbf73c47		 rtf-objdata-decoded RTF \objdata at offset 0x967C 2633 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.