Malicious RTF — malware analysis report

Static analysis result for SHA-256 8a5dd62e6987af21…

MALICIOUS

RTF

650.9 KB Created: 2021-07-19 18:18:00
MD5: 73ae94305fb5385273a5abd14eaafbb1 SHA-1: c3ad08e39cf46e6e66a64f2dd4900c3405510682 SHA-256: 8a5dd62e6987af211ba50f210c4c2acaaab6582a84fbaa9bb44e8a6230e69c34
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects and triggers a critical heuristic for CVE-2017-8759, indicating exploitation of MSXML SAX OLE activation. This vulnerability allows for arbitrary code execution when the document is opened. No document body text or scripts were extracted, but the presence of the exploit is sufficient evidence of malicious intent.

Heuristics 4

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • OLE object data medium RTF_OBJDATA
    RTF contains 9 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002d7a.bin
0dfe3356e967c0862682fc521f692ac7161d2f38ac215ded3a76c9dd8523b4ef		 rtf-objdata-decoded RTF \objdata at offset 0x2D7A 23099 bytes
objdata_01_off00013ca7.bin
284e8783efbc20af7bd01283083cdf703433d7e400927cf480340011831b4934		 rtf-objdata-decoded RTF \objdata at offset 0x13CA7 23099 bytes
objdata_02_off00024bd4.bin
b3cb56bab4cab47639dda032602b92a23cf96ec1873a7d527abfb81efb3ffc42		 rtf-objdata-decoded RTF \objdata at offset 0x24BD4 23099 bytes
objdata_03_off00035b01.bin
6d3eb3dd3de86287b365ee19beb5167b077e5bf09d94f644877da39120cda971		 rtf-objdata-decoded RTF \objdata at offset 0x35B01 23099 bytes
objdata_04_off00046a2e.bin
fa2ab0c32a385c8aabca8a0b891c247e886d83afda288ca35bfe239515c20f46		 rtf-objdata-decoded RTF \objdata at offset 0x46A2E 23099 bytes
objdata_05_off0005795b.bin
7dbc953e19c298dc84e1c8cd8eecf6837babebc9e711d5cdc8aebb9a6b31e9d2		 rtf-objdata-decoded RTF \objdata at offset 0x5795B 23099 bytes
objdata_06_off00068888.bin
04ef3de7b14e7ed8f23425aabf9c7d037dc576606b0ea6dc7b34afe211a9067d		 rtf-objdata-decoded RTF \objdata at offset 0x68888 23099 bytes
objdata_07_off000797b5.bin
cdb4766ac0eea14cb83682f1590714e45ced9ebaed27ab2f7318ff343d4fab9e		 rtf-objdata-decoded RTF \objdata at offset 0x797B5 23099 bytes
objdata_08_off0008a6e2.bin
d2f5f9c3c98432ff9e5082504359da7f405c259c5d01c524c8eb0d3f844720d8		 rtf-objdata-decoded RTF \objdata at offset 0x8A6E2 23099 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.