MALICIOUS
450
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
The RTF document contains OLE object data that triggers remote code execution via CVE-2017-0199 or CVE-2017-8759. It attempts to download a payload from http://mail-serv2.com/vbx/t.php?stats=send&thread=0, which is consistent with Metasploit reverse shellcode. The document body's language suggests a fake invoice lure, further supporting a malicious intent.
Heuristics 13
-
CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical RTF_OLE2LINK_REMOTE_MONIKER_LOADERRTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
-
ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
-
Metasploit reverse_tcp shellcode critical SC_MSF_REVERSEMetasploit reverse_tcp shellcode
Disassembly
Attempted x86 opcode disassembly0005B475 fc cld 0005B476 e882000000 call 0x5b4fd 0005B47B 5f pop edi 0005B47C 5e pop esi 0005B47D 5b pop ebx 0005B47E 8be5 mov esp, ebp 0005B480 5d pop ebp 0005B481 c3 ret 0005B482 8d4000 lea eax, [eax] 0005B485 53 push ebx 0005B486 56 push esi 0005B487 8bd8 mov ebx, eax 0005B489 3b5324 cmp edx, dword ptr [ebx + 0x24] 0005B48C 7436 je 0x5b4c4 0005B48E 8bf2 mov esi, edx 0005B490 85f6 test esi, esi 0005B492 7518 jne 0x5b4ac 0005B494 33c0 xor eax, eax 0005B496 8a4318 mov al, byte ptr [ebx + 0x18] 0005B499 8b0485942c4600 mov eax, dword ptr [eax*4 + 0x462c94] 0005B4A0 50 push eax 0005B4A1 a1fc9b4600 mov eax, dword ptr [0x469bfc] 0005B4A6 8b00 mov eax, dword ptr [eax] 0005B4A8 ffd0 call eax 0005B4AA 8bd0 mov edx, eax 0005B4AC 895324 mov dword ptr [ebx + 0x24], edx 0005B4AF c6434401 mov byte ptr [ebx + 0x44], 1 0005B4B3 8b4304 mov eax, dword ptr [ebx + 4] 0005B4B6 e8ba060000 call 0x5bb75 0005B4BB 85f6 test esi, esi 0005B4BD 7505 jne 0x5b4c4 0005B4BF 33c0 xor eax, eax 0005B4C1 894324 mov dword ptr [ebx + 0x24], eax 0005B4C4 5e pop esi 0005B4C5 5b pop ebx 0005B4C6 c3 ret 0005B4C7 8bc0 mov eax, eax 0005B4C9 3b5028 cmp edx, dword ptr [eax + 0x28] 0005B4CC 7413 je 0x5b4e1 0005B4CE 895028 mov dword ptr [eax + 0x28], edx 0005B4D1 c6402c00 mov byte ptr [eax + 0x2c], 0
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTERTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://mail-serv2.com/vbx/t.php?stats=send&thread=0 In RTF body
- http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000c568.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC568 | 2598 bytes |
SHA-256: 7a51cc58b43040b7f5e56cc66bbd7937098706728b504cb7219f50f43cd3c4cc |
|||
objdata_01_off0000dc96.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDC96 | 2674 bytes |
SHA-256: 604e73beddf6f554636100a7cfc81901fad1ecba5403b54b60a45aebb39c16ea |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.