Malicious RTF — malware analysis report

Static analysis result for SHA-256 64c71212a5275928…

MALICIOUS

RTF

2.50 MB First seen: 2019-04-17
MD5: ffc854700a17437a82a82b0d7e11fd2d SHA-1: a8484fbabd0230d53cb9cfff3a5b38011520ef8f SHA-256: 64c71212a5275928f5291d7fef7e895ff0f22897a234eaed77f0129ea68c9153
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of malicious activity, including OLE object data and excessive hex data, strongly suggesting the presence of embedded malicious content. Specifically, the 'CVE_2017_8570' heuristic firing indicates the exploitation of a vulnerability to drop a script. The presence of a composite moniker further supports this, pointing towards the execution of a secondary payload.

Heuristics 8

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1123KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.CorbisImages.com/enlargement/42-22754942.html�� In RTF body
    • http://ns.camerabits.com/photomechanic/1.0/In RTF body
    • http://ns.adobe.com/xap/1.0/In RTF body
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In RTF body
    • http://ns.adobe.com/photoshop/1.0/In RTF body
    • http://ns.adobe.com/xap/1.0/rights/In RTF body
    • http://purl.org/dc/elements/1.1/In RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000025.bin rtf-objdata-decoded RTF \objdata at offset 0x25 205 bytes
SHA-256: 75a725fc96463ea024899f12597b26031b1a5d84ddd2de407d47914073b3db59
objdata_01_off000001ea.bin rtf-objdata-decoded RTF \objdata at offset 0x1EA 385227 bytes
SHA-256: 91f382cdf3de6d5ea752d6f90e298d0e8be08411bb87e3a0dcd5695aa9e53377
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL
objdata_02_off0011253c.bin rtf-objdata-decoded RTF \objdata at offset 0x11253C 1068 bytes
SHA-256: 2b28d78ceb2a564ae30f2b6865926b068f3f920a373c2e3fc4cb865091eddd89
objdata_03_off00112dc7.bin rtf-objdata-decoded RTF \objdata at offset 0x112DC7 742604 bytes
SHA-256: ec16abc98ac27cae3fd21ee25333f809f8b6411f760f9ef48b9fb8c958bd903c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
objdata_04_off0027d791.bin rtf-objdata-decoded RTF \objdata at offset 0x27D791 369 bytes
SHA-256: 3c0b4878e98d51d984a06b9ba36e54869ecd67e41f335730fced4ca28976d877
objdata_05_off0027daa7.bin rtf-objdata-decoded RTF \objdata at offset 0x27DAA7 890 bytes
SHA-256: 21dcdf875b1972c61c0e8c2c2123f9a95c8f29fb4a2cf8bf52511b328881de8e
objdata_06_off0027e202.bin rtf-objdata-decoded RTF \objdata at offset 0x27E202 2633 bytes
SHA-256: 27c6d10cfe7974ebf40c1200cc005f9878cc37b7d49ece9cbc396d700c38918a

Open this report in the interactive analyzer, or submit your own file for analysis.