Malicious RTF — malware analysis report

Static analysis result for SHA-256 7df1859571c93123…

MALICIOUS

RTF

37.6 KB First seen: 2019-05-10
MD5: 3f687ed347b7b867cfef63be9bb8f2c7 SHA-1: b6bf8d7c86bc40e96c5839caa3fb4f0f24c426df SHA-256: 7df1859571c9312335702035e7a12af9a525c8c88e81f2854b04c28135149ad3
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE object data and specifically triggers the Equation Editor vulnerability. This indicates an attempt to execute arbitrary code on the victim's machine. The extracted artifact 'objdata_00_off00008c30.bin' is likely shellcode or a component of the exploit, suggesting the document's purpose is to download and execute a secondary malicious payload.

Heuristics 5

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008c30.bin rtf-objdata-decoded RTF \objdata at offset 0x8C30 1316 bytes
SHA-256: e27ee5a2c3bd84b534ced896403c1e333a7e6616cbc82b99e8b9647d4c3d79d3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_URLDOWNLOAD, SC_PEB_ACCESS Static shellcode analysis recovered API/import strings: LoadLibraryW, GetProcAddress, URLDownloadToFileW, ExitProcess, ShellExecuteW