Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5f7e614ee696c3c2…

MALICIOUS

RTF / .DOC

676.1 KB Created: 2021-03-31 11:59:00
MD5: 136d009e2306806d83c76ff8fb72650f SHA-1: e90101a6ce07dd7e13446ade45aeee7a888433f6 SHA-256: 5f7e614ee696c3c2c437fa513db6c09a5203536793ef2e2b2f47971df90fbc1f
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple embedded OLE objects, with a critical heuristic indicating exploitation of CVE-2017-8759. This vulnerability allows for OLE activation, which is likely used to execute arbitrary code. The embedded URL, though benign, is present within the RTF body, suggesting a potential lure or part of the exploit chain.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 9 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cbb.bin
19c537c6e877ce8415fc82f26d82e273931d005f2b1471b156cb3f8ba482c8cd		 rtf-objdata-decoded RTF \objdata at offset 0x2CBB 24635 bytes
objdata_01_off00014713.bin
c878d2de6b1cdaf3319ecbc5a6c774ac45707f2270701218d7a2dd7950def6c7		 rtf-objdata-decoded RTF \objdata at offset 0x14713 24635 bytes
objdata_02_off0002616b.bin
1ff9d8504a1f5eb099b04a91eeb8fa8cfae7e1b70896497f8b4cf62b8d2272cc		 rtf-objdata-decoded RTF \objdata at offset 0x2616B 24635 bytes
objdata_03_off00037bc3.bin
b48ca1b5751e80ccbf3587fcf587e7a8883f7cde5022d1c5ac158588ce0672ba		 rtf-objdata-decoded RTF \objdata at offset 0x37BC3 24635 bytes
objdata_04_off0004961b.bin
ef1bffb86ed8a6f5ead68755ec28bbe98f0f2ca0881b60755812bba8b1338ab2		 rtf-objdata-decoded RTF \objdata at offset 0x4961B 24635 bytes
objdata_05_off0005b073.bin
5a632a9e327b9d777a84436480c4bc5540e2954c0f6f9084c5daa8944c078ea5		 rtf-objdata-decoded RTF \objdata at offset 0x5B073 24635 bytes
objdata_06_off0006cacb.bin
a8950c10836d48bc83649c2ac21f6435aa06cd2f6e66563a5cd3b82ac9243746		 rtf-objdata-decoded RTF \objdata at offset 0x6CACB 24635 bytes
objdata_07_off0007e523.bin
fc83603e9fbc177e1e9d6c33374b4dae0007be67d7b26fee9f59308631f4d777		 rtf-objdata-decoded RTF \objdata at offset 0x7E523 24635 bytes
objdata_08_off0008ff7b.bin
5a31a1741d4b0f278178429c3a38c9878c22d6174baf30441019306b856ad4d9		 rtf-objdata-decoded RTF \objdata at offset 0x8FF7B 24635 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.