Malicious RTF — malware analysis report

Static analysis result for SHA-256 87a78c614633967e…

MALICIOUS

RTF

13.34 MB Created: 2018-01-23 22:58:00 First seen: 2021-08-20
MD5: 9c92abd3a2257178d36f77ed8e41b3ea SHA-1: b49e313babb57b520f12dbbca24eca55f535b466 SHA-256: 87a78c614633967e00d23bcaabb30e97a033b56166595b801d545010b01a2edd
742 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

This RTF document exploits CVE-2017-8759 and CVE-2023-21716, indicated by the MSXML OLE activation and the anomalous font table size. It contains suspicious references to WinExec, CreateProcess, ShellExecute, cmd.exe, PowerShell, bitsadmin, and URL monikers, suggesting it attempts to download and execute a secondary payload. The document body also contains lures related to remote support tools and command execution, further indicating malicious intent.

Heuristics 20

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2023-21716 — \fonttbl with 32768 entries critical CVE exact CVE_2023_21716
    RTF font table contains 32768 font entries, which is highly anomalous — CVE-2023-21716 triggers a heap buffer overflow in Word's RTF font table parser when the number of entries is very large (exploitable from ~32768 entries). This document is suspicious.
  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to bitsadmin (download) high SC_STR_BITSADMIN
    Reference to bitsadmin (download)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1167KB of hex-encoded data inside \objdata sections — may hide a payload
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.schmidhorst.de/regdom In RTF body
    • http://www.delphipraxis.net/118485-ermitteln-ob-32-bit-oder-64-bit-betriebssystem.htmlIn RTF body
    • http://www.ebay.com:verify@www.spion.comIn RTF body
    • http://www.windowspro.de/tipp/einfaches-single-sign-workgroups-und-mit-samba-durch-cmdkeyIn RTF body
    • http://www.computer-engineering.orgIn RTF body
    • http://www.softwareok.de/?Microsoft/DontSleepIn RTF body
    • http://www.tnk-bootblock.co.uk/prods/miscIn RTF body
    • http://www.docu-track.com/home/prod_user/PDF-XChange_Tools/pdfx_viewer/In RTF body
    • http://www.it-techblog.de/vista-workshop-notebooks-drahtlos-ad-hoc-vernetzen/07/2007/In RTF body
    • http://jens-schaller.de/month/2008/02In RTF body
    • http://www.horland.de/cwsysinfo.htmlIn RTF body
    • http://www.joshcellsoftwares.com/In RTF body
    • http://www.opa-backup.de/In RTF body
    • http://www.componentsoftware.com/csdiff/In RTF body
    • http://www.winpooch.com/In RTF body
    • http://rpi.net.au/~ajohnson/resourcehackerIn RTF body
    • https://fspro.net/my-lockbox/In RTF body
    • http://www.ctmagazin.de/0916160In RTF body
    • http://forum.notebookreview.com/asus/150016-asus-notebook-keys-v1-3-a.htmlIn RTF body
    • http://forum.notebookreview.com/atIn RTF body
    • http://forum.notebookreview.com/attachments/asus/12942d1196825791-asus-notebook-keys-v1-3-asusnbkeys_v1.3_src.zipIn RTF body
    • http://www.ct.de/y3keIn RTF body
    • http://www.audiograbber.deIn RTF body
    • http://www.tmpgenc.netIn RTF body
    • http://www.cdex.n3.net/In RTF body
    • http://www.dbpoweramp.com/In RTF body
    • https://www.eusing.com/CDRipper/CDRipper.htmIn RTF body
    • http://www.s-a-d.deIn RTF body
    • http://www.germanixsoft.deIn RTF body
    • http://www.clipinc.deIn RTF body
    • http://www.arsgeek.com/?cat=20In RTF body
    • http://www.bihler-online.de/pascal/index.htmIn RTF body
    • http://www.ct.de/yfbqIn RTF body
    • http://pcwelt-tipps.de/wiki/Autostart_auf_USB-SticksIn RTF body
    • http://www.basta.comIn RTF body
    • http://www.delphifreestuff.comIn RTF body
    • https://www.ct.de/yf71In RTF body
    • http://www.mlin.netIn RTF body
    • http://www.SpywareInfo.comIn RTF body
    • http://dialerschutz.de/home/Loeschen/loeschen.htmlIn RTF body
    • https://www.ct.de/wimageIn RTF body
    • https://www.gigabank.de/In RTF body
    • http://https://www.gigabank.de/In RTF body
    • http://www.backupmaker.comIn RTF body
    • http://www.versionbackup.de/In RTF body
    • http://www.schmidhorst.de/regdom}{In RTF body
    • http://www.ebay.com:verify@www.spiIn RTF body
    • http://www.it-tIn RTF body
    • http://www.componentIn RTF body
    • http://www.ctmagazin.de/0In RTF body
    +2045 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00964176.bin rtf-objdata-decoded RTF \objdata at offset 0x964176 58816 bytes
SHA-256: 5d5426403c3607860d1289fa6f366c01db08687be1f5cace02677832a838b374

Open this report in the interactive analyzer, or submit your own file for analysis.