Rtf.Dropper.Agent-7384550-0 — RTF malware analysis

Static analysis result for SHA-256 71fad652af8f8105…

MALICIOUS

RTF

570.5 KB Created: 2020-05-14 05:56:00 First seen: 2020-09-15
MD5: 4bd31ef6af333a4dba284f9f5c49c710 SHA-1: 037d925d2ca3a4f4ccaf9a3cbc14663942eb9b6c SHA-256: 71fad652af8f810542af3ea43c8b87235f13f2bcd3312d6375e7bdad8417ec85
202 Risk Score

Malware Insights

Rtf.Dropper.Agent-7384550-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object that is activated via \objupdate, exploiting CVE-2017-8759. This technique is commonly used by droppers to download and execute additional malware. ClamAV identified the sample as Rtf.Dropper.Agent-7384550-0, supporting its role as a dropper.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Dropper.Agent-7794754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7794754-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000050f0.bin rtf-objdata-decoded RTF \objdata at offset 0x50F0 25659 bytes
SHA-256: 8ec957efe339ed3fd107fd091c632ba3460c17cb28c7b29920c30b15484136c7
objdata_02_off0002629c.bin rtf-objdata-decoded RTF \objdata at offset 0x2629C 25659 bytes
SHA-256: 0362368fca42c6297b28a8f634e3618b0abb3b8592aa6e5be7a9919ddf315128
objdata_04_off00047448.bin rtf-objdata-decoded RTF \objdata at offset 0x47448 25659 bytes
SHA-256: 0322746ba5641d32efbbc19583269c967a1cb7fc74d9d407e5766b4bf7e682be
objdata_06_off000685f4.bin rtf-objdata-decoded RTF \objdata at offset 0x685F4 25659 bytes
SHA-256: e434544ca0cb6fb19bec4a328dfa01f7c1ab746cd8d8fb13f234f13f4bbe8cba
objdata_07_off000775b3.bin rtf-objdata-decoded RTF \objdata at offset 0x775B3 25659 bytes
SHA-256: 06418965ad2192bc45a010932d621bc2c0d189506be25bdb50398cf4ca4d3141

Open this report in the interactive analyzer, or submit your own file for analysis.