RTF malware analysis — malicious · 93ddf95d34a02199

MALICIOUS

RTF

45.6 KB Created: 2017-11-19 22:14:00 First seen: 2017-11-29

MD5: 61ef6bd02f911108e4cb790cb9931dcb SHA-1: 086f5c00d72f7244e891624c4d4977b0b1160e0a SHA-256: 93ddf95d34a021994d7eb416e7a6b5c98fe50761508a0ed713c389740ba008f1

122 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an OLE object that exploits CVE-2017-0199, leveraging a remote URL moniker to fetch and execute a secondary document. The embedded URL http://eatongroup.us/PO/p.doc is the primary indicator of compromise. This technique is commonly used to deliver further stages of malware.

Heuristics 4

CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199

RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://eatongroup.us/PO/p.doc In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00003400.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3400	3640 bytes
SHA-256: `d2e6efbca9a0b0a293b086daab05a68845fee6cfe72781e2d5b4f4fff56bdeba`

Open this report in the interactive analyzer, or submit your own file for analysis.