Malicious RTF — malware analysis report

Static analysis result for SHA-256 7deda5f2e2566894…

MALICIOUS

RTF

497.7 KB Created: 2017-12-08 04:52:00 First seen: 2018-01-23
MD5: 1bae39ebb8a076c67bfcf25a81e14c7d SHA-1: d33fd6fe109eed92fcfcabfc49af3e5a68b2fea1 SHA-256: 7deda5f2e2566894b662522601c1b77953f82bf4d4d161382bd3ed380d771645
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple embedded OLE objects and triggers the CVE-2017-8759 exploit, which is known for allowing arbitrary code execution. This exploit is typically delivered via spearphishing attachments, suggesting a malicious intent to compromise the user's system.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000035b0.bin rtf-objdata-decoded RTF \objdata at offset 0x35B0 19505 bytes
SHA-256: 49dfad1fc4b46d3404a3985c5573bc5279d7fcf01ce6e9d9dc4863366ba8bc03
objdata_01_off0000eacc.bin rtf-objdata-decoded RTF \objdata at offset 0xEACC 19505 bytes
SHA-256: 885a9854e2f53beb0216dd900c9bb4c0a72a3869d0cbe65aa7c6db998023d506
objdata_02_off00019fe8.bin rtf-objdata-decoded RTF \objdata at offset 0x19FE8 19505 bytes
SHA-256: aae46a98f0ef548e26d446d6fcff66a1020cc165febb962d9c5b21a343e21833
objdata_03_off00025504.bin rtf-objdata-decoded RTF \objdata at offset 0x25504 19505 bytes
SHA-256: 3f8f773277e8491ffab3f00396031be4e76c5df4dbede7c948735af68aa37694
objdata_04_off00030a20.bin rtf-objdata-decoded RTF \objdata at offset 0x30A20 19505 bytes
SHA-256: ab4374c8baecb81049d3bd132822a1d4e5ad66455a79ed96230320e94041743e
objdata_05_off0003bf5b.bin rtf-objdata-decoded RTF \objdata at offset 0x3BF5B 19505 bytes
SHA-256: fb0a0dc213084bbce61b8c8388887153305bc4afc5aa231a29c774375610bf83
objdata_06_off00047477.bin rtf-objdata-decoded RTF \objdata at offset 0x47477 19505 bytes
SHA-256: d2e7d13e40264604b168ff9049630a673db0dc3ef036e8fb232251f183591413
objdata_07_off00052993.bin rtf-objdata-decoded RTF \objdata at offset 0x52993 19505 bytes
SHA-256: a4b9044ea03203c8ec2fe434fa2f88ca523e5007daaf927f1f26006a1a2f8c36
objdata_08_off0005deaf.bin rtf-objdata-decoded RTF \objdata at offset 0x5DEAF 19505 bytes
SHA-256: 5d0c3f0dd6c61485164646306e5fee1001adc6cc839e2c6e23c9c15c6f7ef61c
objdata_09_off000693cb.bin rtf-objdata-decoded RTF \objdata at offset 0x693CB 19505 bytes
SHA-256: 9ffd8599f0e0fabe07da2f027de7ccfa0678d64df0b102b9c23a7f676830f421