Malicious RTF — malware analysis report

Static analysis result for SHA-256 79a474ea936c5569…

MALICIOUS

RTF

197.7 KB Created: 2020-02-10 07:22:00
MD5: 4de57f3c4347fa5775cda53544d790f3 SHA-1: 056b5191cbc22d66ba9eda8fbf71efd41e63b081 SHA-256: 79a474ea936c5569278f9c60ce9671db9a9ee38ebdb14b2556b342f04a01c2c1
202 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains critical heuristic firings for CVE-2017-11882 and CVE-2017-8759, indicating exploitation of known vulnerabilities in Microsoft Equation Editor and MSXML SAX. These exploits are designed to execute embedded OLE objects, which in this case likely serve to download and run a second-stage payload from the unknown reputation URL http://redflagalgerie.com/admin/udfald.msi. The presence of multiple OLE object data sections and an objupdate directive further supports the exploitation of embedded objects for execution.

Heuristics 6

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://redflagalgerie.com/admin/udfald.msi
    • http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000088de.bin
1f5a4cea46a5e42335b9aeb3b3bbb065f1b696c79c5ea3a501c86dce3dfbf86d		 rtf-objdata-decoded RTF \objdata at offset 0x88DE 15892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.