Malicious RTF — malware analysis report

Static analysis result for SHA-256 785d710a9ef112d5…

MALICIOUS

RTF

5.2 KB First seen: 2019-03-18
MD5: d25d8e496f52610799235f6fc7644c30 SHA-1: 18456a21e00b341caf7de7abda4a05cb5765c14a SHA-256: 785d710a9ef112d5eb4019814951811746af4764704f9c242472576877c83de9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and is flagged for the CVE-2017-8759 SOAP Moniker vulnerability. This indicates the file is designed to exploit this vulnerability, likely to download and execute a second-stage payload. The presence of ".objdata" and ".objupdate" suggests an attempt to automatically activate embedded OLE objects for exploitation.

Heuristics 4

  • SOAP Moniker — CVE-2017-8759 (SOAP WSDL RCE) critical CVE related CVE_2017_8759
    RTF \objdata decodes to OLE data containing the SOAP Moniker — CVE-2017-8759 (SOAP WSDL RCE) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003e.bin rtf-objdata-decoded RTF \objdata at offset 0x3E 2618 bytes
SHA-256: b8db493a08a69696df60d70963c1ef5ffe60fbf21aa1c1de88a4cba26d766288