Malicious RTF — malware analysis report

Static analysis result for SHA-256 89d927745a424710…

MALICIOUS

RTF

918.5 KB Created: 2018-05-07 02:16:00 First seen: 2018-06-30
MD5: c383e595d2b8467a98b829cd42d0212f SHA-1: b5e11995d12334e55ffe2a5e75a8e7645bb54200 SHA-256: 89d927745a42471048b188e5adf3124e7451262c9d40415f7bd4d46a534d7d27
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c14.bin rtf-objdata-decoded RTF \objdata at offset 0x2C14 33339 bytes
SHA-256: e9b016718db4b3d9f234714186f45dc0e21a6bfa2652208c8af49e630866c5ea
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b2c.bin rtf-objdata-decoded RTF \objdata at offset 0x18B2C 33339 bytes
SHA-256: ae1793c408519fb0b1732a345074130f9a123d79b619c112643eaf6073a1d5ed
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea44.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA44 33339 bytes
SHA-256: 27226e70111e5ff4a34cc4171422648c7a084b8582c77d959cdbd94baba34dc7
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off0004495c.bin rtf-objdata-decoded RTF \objdata at offset 0x4495C 33339 bytes
SHA-256: 28d5f909c6c8b7f2810f7dd1c7e8374c61830ae604e8cd3e5893c87fe8d1c034
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a874.bin rtf-objdata-decoded RTF \objdata at offset 0x5A874 33339 bytes
SHA-256: 3e2e4b41beb3a00daad90914e786cf834febdc470ef2514bab8a3d822ce6824c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707d6.bin rtf-objdata-decoded RTF \objdata at offset 0x707D6 33339 bytes
SHA-256: 13dd6c0889ef24282d67a126d9ee1ada61f98d7206a78c6671d756c8e2319ca5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off000866ee.bin rtf-objdata-decoded RTF \objdata at offset 0x866EE 33339 bytes
SHA-256: ee54d049ac852ba8edeb931eacf8f23d6a10360b54c04c6ae3e9cd1b16fb7b32
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c606.bin rtf-objdata-decoded RTF \objdata at offset 0x9C606 33339 bytes
SHA-256: e2980e55c1c38a4e1a6507284b29da28c8d29ab48dd5142e55ac405fd446cb92
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b251e.bin rtf-objdata-decoded RTF \objdata at offset 0xB251E 33339 bytes
SHA-256: 8a241295a469c6ffda6fc9f563660b52fd34cefcc7f7e8fe65adc0cd416c0c87
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c8436.bin rtf-objdata-decoded RTF \objdata at offset 0xC8436 33339 bytes
SHA-256: f0bccaea198e44a48501bf2819757c8c4fdbae31ae84c73b890c5f16135896ef
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely