Malicious RTF — malware analysis report

Static analysis result for SHA-256 6943484dad1a3246…

MALICIOUS

RTF

776.0 KB Created: 2017-11-10 20:39:00 First seen: 2018-01-23
MD5: dc5e72b062c49ed6fe399a41c4b14a57 SHA-1: 4d67958c28bc2458e48fa6d7f9d640fc66eccb2d SHA-256: 6943484dad1a3246a82b1a9444811e0f4c561770291dd936a1f1a5314e13fda9
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a85.bin rtf-objdata-decoded RTF \objdata at offset 0x2A85 26171 bytes
SHA-256: a4f2bee7d65f2ef33cf732b49720631880e7c21128265d0f585911741d6d1f78
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off000150d3.bin rtf-objdata-decoded RTF \objdata at offset 0x150D3 26171 bytes
SHA-256: 01acc7f0f3ee44f434d5bbac95e7bd87e633d40130d603c4f6703e20b72fb070
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00027723.bin rtf-objdata-decoded RTF \objdata at offset 0x27723 26171 bytes
SHA-256: c38cb4dc765e13849e64ec51f4f48b834b5833584ed0eea5830b425ea00350dc
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off00039d73.bin rtf-objdata-decoded RTF \objdata at offset 0x39D73 26171 bytes
SHA-256: eacba04910829f9c73c0d5bcbadfd6687de3279bd63c779ec18c45cd232d6259
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off0004c3c3.bin rtf-objdata-decoded RTF \objdata at offset 0x4C3C3 26171 bytes
SHA-256: 85b0ce0290915ab40905c7b4af034ae49cb679059a5fff8d0dae249ebecafb70
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off0005ea13.bin rtf-objdata-decoded RTF \objdata at offset 0x5EA13 26171 bytes
SHA-256: b8362c7aab8ddc589186892590ddfa45ae07c0c48c46dd0beb0bde58f863cce1
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00071063.bin rtf-objdata-decoded RTF \objdata at offset 0x71063 26171 bytes
SHA-256: 0e23ae6a9add208cd59dd8573a5bfaf088f90f7f1e11e34214fc2eba3ad51630
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off000836b3.bin rtf-objdata-decoded RTF \objdata at offset 0x836B3 26171 bytes
SHA-256: 1434efa11694e0f9f59a3ffd9f4b2772da390dde25cc53224a855e89dd38b57f
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00095d03.bin rtf-objdata-decoded RTF \objdata at offset 0x95D03 26171 bytes
SHA-256: 0e1768d29549a0d013f123981eaf1b64c1bb1393634d21c15277acff1d5fa2f6
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000a8353.bin rtf-objdata-decoded RTF \objdata at offset 0xA8353 26171 bytes
SHA-256: ce0cc08fdc8ed82624bf2c1abf1a95aac3fc6634fed73c76dbe0ef6eee7b66b6
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely