Malicious RTF — malware analysis report

Static analysis result for SHA-256 93bbebd09acfed43…

MALICIOUS

RTF

801.1 KB Created: 2018-04-18 01:41:00 First seen: 2020-02-04
MD5: 27fcc8580e2d2062130be62fe5923c19 SHA-1: b2f307f782eaa2834b93b945300dcd0759445868 SHA-256: 93bbebd09acfed439cda0c5c375abb5e82af69f3387599982c43390114ad8130
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate. The critical heuristic firing for CVE-2017-8759 indicates exploitation of this vulnerability, which is commonly used to download and execute arbitrary code. The embedded URL is benign, but the exploitation technique strongly suggests a malicious intent to compromise the user's system.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c46.bin rtf-objdata-decoded RTF \objdata at offset 0x2C46 26683 bytes
SHA-256: 99b282ce2bfe68ddf135c22a48b001c8caf4340008062059d83a44b0ca6f9290
objdata_01_off00015c67.bin rtf-objdata-decoded RTF \objdata at offset 0x15C67 26683 bytes
SHA-256: 834e6a5e023a325eae5b9030b79a7437f6a4ae28aa2731e7898a74480bc45fa2
objdata_02_off00028c88.bin rtf-objdata-decoded RTF \objdata at offset 0x28C88 26683 bytes
SHA-256: e2a7c814d7efc07d0f1f3f0546357cb1078d48f66c8d56e6739c6d0a3e6a5570
objdata_03_off0003bca9.bin rtf-objdata-decoded RTF \objdata at offset 0x3BCA9 26683 bytes
SHA-256: 16b3a7cdf2a68fcdfebc5e97c4274c579a563373424cd3a1e801e0bf531c8e22
objdata_04_off0004ecca.bin rtf-objdata-decoded RTF \objdata at offset 0x4ECCA 26683 bytes
SHA-256: 1eac0d7a8a60918ff216dcf809deea7602edd072159f74ada6904cc9ec11d39d
objdata_05_off00061d35.bin rtf-objdata-decoded RTF \objdata at offset 0x61D35 26683 bytes
SHA-256: d1bfa63fe265db5bb846e5676a671d8a7179adbc3bd7876b6bcb59cd8248f122
objdata_06_off00074d56.bin rtf-objdata-decoded RTF \objdata at offset 0x74D56 26683 bytes
SHA-256: f6b9c4ddc93f920ecd2c3e73f54f039f470d3f2470bd0556f49cba79724696fa
objdata_07_off00087d77.bin rtf-objdata-decoded RTF \objdata at offset 0x87D77 26683 bytes
SHA-256: 90f4c7bf2e4b0e550ab8714a81708ca1693d0a24fd2044f8f19b9c1e301dcaf3
objdata_08_off0009ad98.bin rtf-objdata-decoded RTF \objdata at offset 0x9AD98 26683 bytes
SHA-256: 2b83594e803b369bbe0b69f4857b613b61ebc8f67363e2b51d7104f6a632e054
objdata_09_off000addb9.bin rtf-objdata-decoded RTF \objdata at offset 0xADDB9 26683 bytes
SHA-256: 2a94ca05b089c55aa337e03a5471ba05769d2f197e8a9c695363a226fc3379c2