Malicious RTF — malware analysis report

Static analysis result for SHA-256 933216c3a117832c…

MALICIOUS

RTF

808.1 KB Created: 2018-03-12 22:03:00 First seen: 2018-06-25
MD5: 1ea1355cd1016c9d0f9f8b3dd5ff7ad7 SHA-1: e9cd6d62ded16d9b048b992e06203cd267d1acd1 SHA-256: 933216c3a117832caf6a114fa82b09326fb640b0756d48596670f5eb0527cde9
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c46.bin rtf-objdata-decoded RTF \objdata at offset 0x2C46 27195 bytes
SHA-256: a9f56b882573b005558235ccd82fcbe7a0267aa22fcd37ef8048f301801f5901
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00015f3c.bin rtf-objdata-decoded RTF \objdata at offset 0x15F3C 27195 bytes
SHA-256: dd0782204b2f9f939ac285ead963461f148ffe3197d001317e067e191f53093b
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off00029232.bin rtf-objdata-decoded RTF \objdata at offset 0x29232 27195 bytes
SHA-256: 839dd59ba5e60664f72e563c1cf4d1ec52608fd5155dc36ff3e02b5173f74e9e
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003c528.bin rtf-objdata-decoded RTF \objdata at offset 0x3C528 27195 bytes
SHA-256: 48416f769c9d021f4c995b601491698d7c297d1567a3d5457c27df70fc687d17
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off0004f81e.bin rtf-objdata-decoded RTF \objdata at offset 0x4F81E 27195 bytes
SHA-256: fd903ebe07b08244ba50be940a6b9b395a9c07567679f3596cbf06eaeda928d5
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00062b14.bin rtf-objdata-decoded RTF \objdata at offset 0x62B14 27195 bytes
SHA-256: b8d71305cf8cd79fff8a65067e3787c876719a382b9f3682f5ff41c780c80358
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off00075e0a.bin rtf-objdata-decoded RTF \objdata at offset 0x75E0A 27195 bytes
SHA-256: ddc9c93b1acb41f0f4a97d562e1e4b37da46a121889ad5d727a676dfdbdbf5a3
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_07_off00089100.bin rtf-objdata-decoded RTF \objdata at offset 0x89100 27195 bytes
SHA-256: 879dd161ec1c9dc32955da0637d541db7ee025652ed2455c76f7bf71bbca597e
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off0009c3f6.bin rtf-objdata-decoded RTF \objdata at offset 0x9C3F6 27195 bytes
SHA-256: 7b0a4b58dfbf9463fb3e7f15b88e078e5dcb8e4f1f3f44ac68ae4743f02c0075
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_09_off000af6ec.bin rtf-objdata-decoded RTF \objdata at offset 0xAF6EC 27195 bytes
SHA-256: 0bf6a4fb82501a83334dea68b7ad34f862f907b5508ee509dfb46114f84e4de8
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely