Malicious RTF — malware analysis report

Static analysis result for SHA-256 6357499a0687dfb6…

MALICIOUS

RTF

926.8 KB Created: 2018-05-04 05:23:00 First seen: 2019-05-31
MD5: 1ed8d12cb5b92778cd15d92924205ec2 SHA-1: 6e9783a4978918307777c8e6d4cbe9e81096afc0 SHA-256: 6357499a0687dfb654b8d53561c922b4662331e30fbeca4fb87577431c073c70
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c6c.bin rtf-objdata-decoded RTF \objdata at offset 0x2C6C 31803 bytes
SHA-256: 04e5958c96bea93fc42c258fcfc92e2a12e23edb90b2511a542c5741cbd0dab9
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018bda.bin rtf-objdata-decoded RTF \objdata at offset 0x18BDA 31803 bytes
SHA-256: f0513839ff8fafeb3b2aa8191457153151fac181c29e5675e50dcda2e5381f1f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002eef3.bin rtf-objdata-decoded RTF \objdata at offset 0x2EEF3 31803 bytes
SHA-256: 7f222bccb5494e83729adcc0e1a17887cfb8b268621590506ed398d2a67d8865
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off0004520c.bin rtf-objdata-decoded RTF \objdata at offset 0x4520C 31803 bytes
SHA-256: fc6706d787851f8b90357eeaca6376cce3bf67ea72981abd6f080015e9e5612b
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005b525.bin rtf-objdata-decoded RTF \objdata at offset 0x5B525 31803 bytes
SHA-256: 15b4baac4fe42bcc295349d1d3c73837d9cb7c42a3ab0c53d28376af5058e6c6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000718bf.bin rtf-objdata-decoded RTF \objdata at offset 0x718BF 31803 bytes
SHA-256: 97f150ed0a6bf5303e52cd5f4116dfabf72a7b23e13860777a5720d7a355cd6e
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0008782d.bin rtf-objdata-decoded RTF \objdata at offset 0x8782D 31803 bytes
SHA-256: 9e5de23b7d165d9635b7f154d8f60297b13cfb73e8c5ca2a477ebe6171ba62e8
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009db46.bin rtf-objdata-decoded RTF \objdata at offset 0x9DB46 31803 bytes
SHA-256: 29ddc3750cdf7f442fedefe0bbf30cbd5e41b5e13cbde9fcad4366c1e3f8643e
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b3e5f.bin rtf-objdata-decoded RTF \objdata at offset 0xB3E5F 31803 bytes
SHA-256: 1cd76db7b24485c116cd07a1ac35f7b1f4cdf7e85c881d86211278429d1c2b90
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000ca178.bin rtf-objdata-decoded RTF \objdata at offset 0xCA178 31803 bytes
SHA-256: 8f50c2126526b195cf99856a3628abba6590e78d90aa4f49ff93b7dac0f6bb6e
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely