Malicious RTF — malware analysis report

Static analysis result for SHA-256 88274fc3922063bf…

MALICIOUS

RTF

485.2 KB Created: 2013-10-14 12:25:00 First seen: 2020-08-10
MD5: 7b207ba6fb01bb3fe7a2649b3dbdffc8 SHA-1: e6bcc04fda617f651a03e091fbb9a720f9d79632 SHA-256: 88274fc3922063bffd30d8d759ea44f7e788cc48e41297aaee39d432bc732669
350 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an RTF document containing an embedded OLE object, which static analysis indicates is likely malicious and exploits CVE-2012-0158. The document body mimics an invoice, a common lure for users to interact with embedded content. The presence of a NOP sled and the ClamAV detection as 'Rtf.Dropper.Agent-7577689-0' strongly suggest this file is a dropper designed to execute a secondary payload.

Heuristics 11

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • ClamAV: Rtf.Dropper.Agent-7577689-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-7577689-0
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0000C8AD  90                nop
0000C8AE  90                nop
0000C8AF  90                nop
0000C8B0  90                nop
0000C8B1  90                nop
0000C8B2  90                nop
0000C8B3  90                nop
0000C8B4  90                nop
0000C8B5  90                nop
0000C8B6  90                nop
0000C8B7  90                nop
0000C8B8  90                nop
0000C8B9  90                nop
0000C8BA  90                nop
0000C8BB  90                nop
0000C8BC  90                nop
0000C8BD  90                nop
0000C8BE  90                nop
0000C8BF  90                nop
0000C8C0  90                nop
0000C8C1  90                nop
0000C8C2  90                nop
0000C8C3  90                nop
0000C8C4  90                nop
0000C8C5  90                nop
0000C8C6  90                nop
0000C8C7  90                nop
0000C8C8  90                nop
0000C8C9  90                nop
0000C8CA  90                nop
0000C8CB  90                nop
0000C8CC  90                nop
0000C8CD  90                nop
0000C8CE  90                nop
0000C8CF  90                nop
0000C8D0  90                nop
0000C8D1  90                nop
0000C8D2  90                nop
0000C8D3  90                nop
0000C8D4  90                nop
0000C8D5  90                nop
0000C8D6  90                nop
0000C8D7  90                nop
0000C8D8  e8ffffffff        call 0xc8dc
0000C8DD  d54e              aad 0x4e
0000C8DF  e671              out 0x71, al
0000C8E1  1e                push ds
0000C8E2  a11600426a        mov eax, dword ptr [0x6a420016]
0000C8E7  ad                lodsd eax, dword ptr [esi]
0000C8E8  4c                dec esp
0000C8E9  d522              aad 0x22
0000C8EB  56                push esi
0000C8EC  cb                retf
0000C8ED  5e                pop esi
0000C8EE  a106384655        mov eax, dword ptr [0x55463806]
0000C8F3  a5                movsd dword ptr es:[edi], dword ptr [esi]
0000C8F4  26                .byte 0x26
0000C8F5  df                .byte 0xdf
0000C8F6  db5340            fist dword ptr [ebx + 0x40]
0000C8F9  5e                pop esi
0000C8FA  2e26ac            lodsb al, byte ptr es:[esi]
0000C8FD  99                cdq
0000C8FE  cdaf              int 0xaf
0000C900  40                inc eax
0000C901  54                push esp
0000C902  39a8475a6de1      cmp dword ptr [eax - 0x1e92a5b9], ebp
0000C908  ec                in al, dx
0000C909  5f                pop edi
0000C90A  61                popal
0000C90B  3f                aas
0000C90C  82                .byte 0x82
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 447,953 bytes but its declared streams total only 28 bytes — 447,925 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000bee0.bin rtf-objdata-decoded RTF \objdata at offset 0xBEE0 61 bytes
SHA-256: dc121a0543b0c5ccec0adc006b156e2efe4e52e3eaee64372a33799074f80015
embedded_office_off0000bf1f.ole embedded-office Embedded OLE/CFB Office body inside rtf container at offset 0xBF1F 447953 bytes
SHA-256: bc7878692ee4a52b25d7d8ca0ee2dcef67b2a332137e269b59e044ad1cb4adc5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled

Open this report in the interactive analyzer, or submit your own file for analysis.