Malicious RTF — malware analysis report

Static analysis result for SHA-256 763772416d2ae946…

MALICIOUS

RTF

990.0 KB Created: 2018-03-31 15:51:00 First seen: 2018-04-23
MD5: ef51e56da31ba444702ae26eba135536 SHA-1: da1a6c34517ee3f66b064dc6b66ca891222ac512 SHA-256: 763772416d2ae9463ddd67930ac9d3cdb0117833d1b7806cd5385913c2423c4d
260 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple embedded OLE objects, with one specifically triggering the ".objupdate" directive. This directive is known to activate OLE objects, leading to the exploitation of CVE-2017-8759. ClamAV detections further confirm the malicious nature, identifying it as Doc.Macro.Obfuscation-6391394-0. The exploitation of this CVE allows for arbitrary code execution, likely as part of a spearphishing attachment campaign.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002ccb.bin rtf-objdata-decoded RTF \objdata at offset 0x2CCB 28219 bytes
SHA-256: 0a8292419385dff52ecaed72466920e886ea32dfc9dad242a11b12312ec78c63
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off0001690a.bin rtf-objdata-decoded RTF \objdata at offset 0x1690A 28219 bytes
SHA-256: 08ee93eccc580d2afabed186dbc9ace9adb4b431ad4ea8fed2eea765fccdf68d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off0002a59c.bin rtf-objdata-decoded RTF \objdata at offset 0x2A59C 28219 bytes
SHA-256: 4fa769ba547fb09ec9a94e20eb461c6a6c02ef6f039acc64e42228ffb823a861
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off0003e1db.bin rtf-objdata-decoded RTF \objdata at offset 0x3E1DB 28219 bytes
SHA-256: 7a52b7d808765f73265da97e858e5b2d204a15561a1b07ff4eee5c64cf6c09cd
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00051e6d.bin rtf-objdata-decoded RTF \objdata at offset 0x51E6D 28219 bytes
SHA-256: 8e505d7d7e3414a123c0d61292d4fef7583fb5b1adeffb8f2b0bccc625e440e2
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00065aac.bin rtf-objdata-decoded RTF \objdata at offset 0x65AAC 28219 bytes
SHA-256: 224956bd34e0d527bee1677aa746c2aa7c0fc41eb08d6bef513de1c599866cb5
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off0007973e.bin rtf-objdata-decoded RTF \objdata at offset 0x7973E 28219 bytes
SHA-256: a9796b18cd7a3040320290f9e1cc11cab8a071432630fb8637a9dccd8e094cd7
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off0008d37d.bin rtf-objdata-decoded RTF \objdata at offset 0x8D37D 28219 bytes
SHA-256: 30400632270998295a88decb64f28e4d058c4ae190176c7e1455e8ad08de88b5
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off000a100f.bin rtf-objdata-decoded RTF \objdata at offset 0xA100F 28219 bytes
SHA-256: 1003a6a97f6a182a20f1ad82b13747dc63719835d7fd1adbd38dcb73503565ff
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000b4c4e.bin rtf-objdata-decoded RTF \objdata at offset 0xB4C4E 28219 bytes
SHA-256: 837c81770f497c89d720988ebc3d20abe6ba5fe9a5314c4581179dddc068637a
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_10_off000c88e0.bin rtf-objdata-decoded RTF \objdata at offset 0xC88E0 28219 bytes
SHA-256: 38d07f1de5c870dbbb302b59b70d43bf64e7f84d37af1afaab75dbc9a31c2464
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_11_off000dc51f.bin rtf-objdata-decoded RTF \objdata at offset 0xDC51F 28219 bytes
SHA-256: 542b587496d071a025771e82c4ca7717d71c27db89d176dfe163ed274d08f475
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely