Malicious RTF — malware analysis report

Static analysis result for SHA-256 8ecb075bba3f583d…

MALICIOUS

RTF

816.5 KB Created: 2017-11-10 04:57:00 First seen: 2017-11-20
MD5: 17ca9f124998e5c805bbcdf6d4c4d3a1 SHA-1: 53cc13708c54243ead550de6a7c57524597e36e6 SHA-256: 8ecb075bba3f583d350e136b9df81d2a773f26174a014c59f26915eca785dc4a
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an exploit for CVE-2017-8759, which is known to facilitate arbitrary code execution. This indicates the file's primary purpose is to exploit this vulnerability to download and execute a secondary payload, likely delivered via a spearphishing attachment. The ClamAV detection further supports its malicious nature.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a8f.bin rtf-objdata-decoded RTF \objdata at offset 0x2A8F 28225 bytes
SHA-256: 2ca755df5ef1df6d58538fb50b38d1ea6810d7cdae9b6d6bacf7bc2a976ed0da
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off0001610e.bin rtf-objdata-decoded RTF \objdata at offset 0x1610E 28225 bytes
SHA-256: a1e6895d8ee1efc3e9a89c1a691d99e48e5b766f0f6a72f889ad8c6e55b729b5
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off0002978f.bin rtf-objdata-decoded RTF \objdata at offset 0x2978F 28225 bytes
SHA-256: edeffbbf272b8a018dcf277ba11f1ba6bd6dae8390f3f6839a6ae62d72f3c382
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off0003ce10.bin rtf-objdata-decoded RTF \objdata at offset 0x3CE10 28225 bytes
SHA-256: 2f98b5410efaebce85849210c76a0fe0dabac30cb791a615c3f039b793965b4e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00050491.bin rtf-objdata-decoded RTF \objdata at offset 0x50491 28225 bytes
SHA-256: 1c85b31937a36d8d4292a5b622e889c264a35f8591f3c9daea6d2b7c74b9356e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00063b12.bin rtf-objdata-decoded RTF \objdata at offset 0x63B12 28225 bytes
SHA-256: 17d670b83f4af17dc6588614eb877d41dde5407978989707c91c322f02aa6104
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00077193.bin rtf-objdata-decoded RTF \objdata at offset 0x77193 28225 bytes
SHA-256: d63a30e6551e9c445475fcb7bc8e479e031d64d49f21a0bb2841e0652047c1e1
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off0008a814.bin rtf-objdata-decoded RTF \objdata at offset 0x8A814 28225 bytes
SHA-256: 1c98ba8ff89c24b576e6f2aa4d1469a00e7e5316f1afde721072d69cefe16be8
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0009de95.bin rtf-objdata-decoded RTF \objdata at offset 0x9DE95 28225 bytes
SHA-256: 4fb7b78772d0bcb0721c8f726f431fc6ba94cf53980cab73beaf9cf4bf0ae8ea
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000b1516.bin rtf-objdata-decoded RTF \objdata at offset 0xB1516 28225 bytes
SHA-256: a59c0d2fd2ae0709d54fda3563c6d8653c895fa7c82b5c77f62d1282d23307dd
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely