Malicious RTF — malware analysis report

Static analysis result for SHA-256 5f019cf6b05a2270…

MALICIOUS

RTF

420.7 KB First seen: 2017-05-29
MD5: 3036782ebf26c52ee7966bdb53412dc4 SHA-1: 940e0300c05012ef5c89b894fd92aca1974008af SHA-256: 5f019cf6b05a2270cf9c4a0b485ff90e8aa7287821647afbf3cd237575cd4791
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is an RTF document containing OLE object data, which is indicative of an exploit. ClamAV signatures confirm the presence of the CVE-2015-1641 exploit, a known vulnerability allowing for arbitrary code execution. The embedded OLE objects are likely the exploit payload, leading to the malicious verdict.

Heuristics 4

  • ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2015_1641-6397417-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000001f.bin rtf-objdata-decoded RTF \objdata at offset 0x1F 53 bytes
SHA-256: 7337580416891e5a22d1993e8e7f6fd70b313be9c6e0f3065f42b639d8fe4b88
objdata_01_off00002068.bin rtf-objdata-decoded RTF \objdata at offset 0x2068 21553 bytes
SHA-256: 05d45c64752f9b23ed372a2328bd9e650771aac65f80b68ea85aeb3219ecef31
objdata_02_off0000e8aa.bin rtf-objdata-decoded RTF \objdata at offset 0xE8AA 32817 bytes
SHA-256: 224d0a14660714cd73baceb985d8a6358961441d22908a16291903f8e9a98054
Detection
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload: likely
Carved artifact entropy is 7.71, consistent with packed or encrypted content.