Malicious RTF — malware analysis report

Static analysis result for SHA-256 726e40086031e18e…

MALICIOUS

RTF

345.7 KB Created: 2012-04-19 15:10:00 Authoring application: Microsoft Word 11.0.0000 First seen: 2014-02-28
MD5: 3769c7985a924e2e7b3b132f52d159f0 SHA-1: 30233ba48278d4d2268b3c03b503a0ebbe572c58 SHA-256: 726e40086031e18e92187a0537c9f9c46c13646cf315469888205a730ee63aea
162 Risk Score

Heuristics 5

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • CVE-2012-0158 RTF embedded encrypted payload high CVE related RTF_CVE_2012_0158_EMBEDDED_PAYLOAD
    The CVE-2012-0158 document embeds a large high-entropy binary blob — the encrypted/packed second-stage payload the exploit shellcode drops and runs. Hex-encoded object data cannot reach this entropy, so the region is genuine binary, not markup. The payload is encrypted in the file, so it is surfaced as an IOC (offset, size, SHA-256) rather than a decoded executable.
  • ClamAV: Win.Trojan.Elpapok-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Elpapok-1
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000013c6.bin rtf-objdata-decoded RTF \objdata at offset 0x13C6 38640 bytes
SHA-256: 8ed2bb4b0a723851debbbedb923b133a1b5ac332f6de1ac7db33597454669278