Malicious RTF — malware analysis report

Static analysis result for SHA-256 5d5c46a419861afe…

MALICIOUS

RTF

841.3 KB Created: 2018-03-12 22:24:00 First seen: 2018-06-25
MD5: cee988885eca7b564b5c99d793a3aa73 SHA-1: 07f8b341c8c245fc2968dd1e5f5e5deeac3e9e49 SHA-256: 5d5c46a419861afe177d2c28e472a336d74b3554ef4724b7660628737fb6ada6
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c4d.bin rtf-objdata-decoded RTF \objdata at offset 0x2C4D 28731 bytes
SHA-256: 7a2366a43d0049d69c14c91b63115e0c16e073ad8691cd5ef82a20ae3d4f23fd
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016c8e.bin rtf-objdata-decoded RTF \objdata at offset 0x16C8E 28731 bytes
SHA-256: f96ba7b5e97b16e3ae3902ee6fdeb3c204ff09e13d15408d5383fc30013fa152
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003ed10.bin rtf-objdata-decoded RTF \objdata at offset 0x3ED10 28731 bytes
SHA-256: 450493ce126e267fc6e44bc6e1bdefac81092a0ded3cc285ba5d45994c754f4e
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00066d92.bin rtf-objdata-decoded RTF \objdata at offset 0x66D92 28731 bytes
SHA-256: a570f3483f891b4160fa244d373b0351c1c779277f1516cdbac98712d96f4246
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_07_off0008ee14.bin rtf-objdata-decoded RTF \objdata at offset 0x8EE14 28731 bytes
SHA-256: b73dc700b793a0a90de9a86edd013fa11d118f5439dba01d49f90b33986cc928
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a2e55.bin rtf-objdata-decoded RTF \objdata at offset 0xA2E55 28731 bytes
SHA-256: 552145ba4bfb6809842ddf8a91fe4d8192519bba77e7366f7f49682955f58ca8
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_09_off000b6e96.bin rtf-objdata-decoded RTF \objdata at offset 0xB6E96 28731 bytes
SHA-256: ee167b3ef276711bd4c8bd95d83f4388f0fc76ceea65861b58843e91d203fb3d
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely