Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7fbea70151ce796a…

MALICIOUS

RTF / .DOC

9.2 KB
MD5: 41b70280d39130c628e89fa36d1913f4 SHA-1: 58969f2dccc1a68a44bf8d62a0e67f6035f3e87f SHA-256: 7fbea70151ce796ab8dadbd278fc907d8ef39ce8d6f049d50eddfea2c392b1b8
242 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The file is an RTF document that leverages the CVE-2017-8570 vulnerability. This exploit is designed to activate an embedded OLE object, which in turn downloads and executes a JavaScript file from the URL http://iraniansk.com/taskmgr.js. The presence of multiple high and critical heuristic firings related to OLE object activation and the specific CVE strongly indicates this malicious behavior.

Heuristics 7

  • CVE-2017-8570 (Composite Moniker + scriptlet payload) critical CVE likely CVE_2017_8570
    RTF contains Composite Moniker CLSID together with nearby scriptlet/SCT payload evidence, matching the CVE-2017-8570 exploit shape.
  • ClamAV: Rtf.Exploit.CVE_2017_8570-6596183-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_8570-6596183-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://iraniansk.com/taskmgr.js

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000054.bin
2c050c80d09bfc9cb03b1a9ed7683ce1fc1f213a5b5c69070de69845d706b54e		 rtf-objdata-decoded RTF \objdata at offset 0x54 1955 bytes
objdata_01_off0000100f.bin
4855cf13d63f65d3041488b2845dc9828f35068a8563ee7a5cc55aefea602788		 rtf-objdata-decoded RTF \objdata at offset 0x100F 2633 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.