Rtf.Dropper.Agent-7120995-0 — RTF malware analysis

Static analysis result for SHA-256 5fda46648fbae46e…

MALICIOUS

RTF

309.3 KB Created: 2018-04-05 10:48:00 First seen: 2020-05-25
MD5: 999fdc2da2b002a753d1614efa914237 SHA-1: 155e79af77f12f865771de7c439a46e81d4df654 SHA-256: 5fda46648fbae46ee3fc68f7c8aaff576b848427f370dc12532352ad3fbb2917
282 Risk Score

Malware Insights

Rtf.Dropper.Agent-7120995-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and triggers CVE-2017-8759, indicating exploitation for client execution. ClamAV identifies the sample as Rtf.Dropper.Agent-7120995-0, suggesting it acts as a dropper for a secondary payload. The embedded artifact objdata_02_off0004c437.bin is likely the dropped payload.

Heuristics 7

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Rtf.Dropper.Agent-7120995-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-7120995-0
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 In RTF body
    • http://ts-ocsp.ws.symantec.com07In RTF body
    • http://ocsp.verisign.com0In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
    • http://crl.thawte.com/ThawteTimestampingCA.crl0In RTF body
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In RTF body
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In RTF body
    • https://www.verisign.com/rpaIn RTF body
    • https://www.verisign.com/cps0*In RTF body
    • https://www.verisign.com/rpa0In RTF body
    • http://logo.verisign.com/vslogo.gif0In RTF body
    • http://crl.verisign.com/pca3.crl0In RTF body
    • http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DIn RTF body
    • http://csc3-2010-aia.verisign.com/CSC3-2010.cer0In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000cf90.bin rtf-objdata-decoded RTF \objdata at offset 0xCF90 46428 bytes
SHA-256: d585b3a2096778d3386bdcad0006f9c71f8d709bd527855971904addecb8fe10
objdata_01_off00023a73.bin rtf-objdata-decoded RTF \objdata at offset 0x23A73 83145 bytes
SHA-256: c1c61b177ceb67c52fbe2c0d9be2cdc89ef3807c249795fe6ca9d9a15c50b060
objdata_02_off0004c437.bin rtf-objdata-decoded RTF \objdata at offset 0x4C437 820 bytes
SHA-256: 5e99841c0bc017d3a28ae3d63a700d3fbde0f631c395dbeba87e395969bce6fa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell"), cmd /c IF EXIST ""%TeMp%\block.txt"" (exit) ELSE (copy NUL ""%TeMp%\block.txt"" & start %temp%\taskhost.exe)",0,True

Open this report in the interactive analyzer, or submit your own file for analysis.