Malicious RTF — malware analysis report

Static analysis result for SHA-256 8f33e77359a76343…

MALICIOUS

RTF

3.00 MB Created: 2018-04-16 17:03:00 First seen: 2020-02-04
MD5: 6e203daf62b4752ee2509014b0d85b12 SHA-1: ffff7735f71292fc238cb3793b3deb2547c6e57d SHA-256: 8f33e77359a76343711c54d9a6a72fc1a14697c5c8c5f52bc382863f259aafd4
522 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains multiple critical heuristic firings indicating exploitation of CVE-2017-8759 (MSXML SAX OLE activation) and CVE-2017-8570 (Composite Moniker, drops SCT script). These vulnerabilities are used to embed and execute OLE objects, including PE headers and shellcode, likely to download and run a second-stage payload from the unknown URL. The ClamAV detection of Win.Packer.MalwareCrypter-6620810-1 further supports the malicious nature of the embedded artifacts.

Heuristics 12

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Win.Packer.MalwareCrypter-6620810-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packer.MalwareCrypter-6620810-1
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~2478KB of hex-encoded data inside \objdata sections — may hide a payload
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seifried.de/t/t.php?stats=send&thread=0 In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002728.bin rtf-objdata-decoded RTF \objdata at offset 0x2728 930 bytes
SHA-256: fc1672888db0f0d22becee019d1f3d86b2cc71d1a15d3815651df05e7df698e4
objdata_01_off0025fbc4.bin rtf-objdata-decoded RTF \objdata at offset 0x25FBC4 662 bytes
SHA-256: b0f7754ee33a1335bdea703df94d64e9502d2eb0ff179b3f259c554c8e090638
objdata_02_off0026030b.bin rtf-objdata-decoded RTF \objdata at offset 0x26030B 295417 bytes
SHA-256: e04be3720c41904a2aeded781a00ee67d122f819c01597c486b2678df8a6f22f
Detection
ClamAV: Win.Packer.MalwareCrypter-6620810-1
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, VirtualAlloc, ExitProcess
objdata_03_off002f1b60.bin rtf-objdata-decoded RTF \objdata at offset 0x2F1B60 2744 bytes
SHA-256: 984e5647589f5f6e5fe3ab0dc4e2c31bcaa2e91ea7a6259aad5180002649c7b5
objdata_04_off002f330d.bin rtf-objdata-decoded RTF \objdata at offset 0x2F330D 1045 bytes
SHA-256: 64843d8810e1b82f3caea220364e8db6796b288d330227e18e1b4992e51389ce
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell")
objdata_05_off002f3d64.bin rtf-objdata-decoded RTF \objdata at offset 0x2F3D64 3944 bytes
SHA-256: 457a253401e89ca51b7e0458e712e2674cbb0d5fa71957efcf246662243f8d75
objdata_06_off002f627a.bin rtf-objdata-decoded RTF \objdata at offset 0x2F627A 3959 bytes
SHA-256: 0e0108b127ad0e9b9018982e12304e21a5ce906e1e138ef1474dd8d53a094461

Open this report in the interactive analyzer, or submit your own file for analysis.