Malicious RTF — malware analysis report

Static analysis result for SHA-256 94d2ac11b2438eee…

MALICIOUS

RTF

862.3 KB Created: 2018-04-18 01:50:00 First seen: 2018-04-30
MD5: 14a69824518d96a2a364f7a6d7e0da7a SHA-1: 5d3d64833b92df4e57c3d8b6c476a3cc146ecc7a SHA-256: 94d2ac11b2438eeefabe999a80686225700644f3187b4b931b4bf90a1f92142b
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 11 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c9b.bin rtf-objdata-decoded RTF \objdata at offset 0x2C9B 26683 bytes
SHA-256: d89d2afa5098584faf8139c00f42d4ccac7e6bfd3353db0fa6dd03fcc9ffbdd5
objdata_01_off0001575e.bin rtf-objdata-decoded RTF \objdata at offset 0x1575E 26683 bytes
SHA-256: be7e426a0029b6de2538c12582f5d31c0b69e82eb64d59c999e8298ead57f154
objdata_02_off00028221.bin rtf-objdata-decoded RTF \objdata at offset 0x28221 26683 bytes
SHA-256: a07c8f5d5c93e40c795beabe063c4b79d3d2e8942afdbe37b733e63848018346
objdata_03_off0003ace4.bin rtf-objdata-decoded RTF \objdata at offset 0x3ACE4 26683 bytes
SHA-256: 7b7c9f9c1f105fa3350be3976a846b589703ebfeebf3dd54b083db8a418972ce
objdata_04_off0004d7a7.bin rtf-objdata-decoded RTF \objdata at offset 0x4D7A7 26683 bytes
SHA-256: af66913ffe22b47b3de98413d625d395d01fc5da84fd39b6e979199b3c6320de
objdata_05_off0006026a.bin rtf-objdata-decoded RTF \objdata at offset 0x6026A 26683 bytes
SHA-256: a1bd1fb7dce6dc4e95c3e7a406719a1466d0de6616fd6ef94fdb44c44ad27bd3
objdata_06_off00072d34.bin rtf-objdata-decoded RTF \objdata at offset 0x72D34 26683 bytes
SHA-256: 4aa9096e5444d4bbf239e02e898baaeb04e7e7c662b9a94fc2cac0959bad9300
objdata_07_off000857f7.bin rtf-objdata-decoded RTF \objdata at offset 0x857F7 26683 bytes
SHA-256: 0d9520a6c379926a835ec47d86f33d193d215a5656d84472cd04259e4f6d9206
objdata_08_off000982ba.bin rtf-objdata-decoded RTF \objdata at offset 0x982BA 26683 bytes
SHA-256: 0278954420c4020ef687a903eeebff91ce9b44168d5ecb74f7fe022af7b6fbb6
objdata_09_off000aad7d.bin rtf-objdata-decoded RTF \objdata at offset 0xAAD7D 26683 bytes
SHA-256: 77b3a4fd2a70f20ca0e3231bb210e5107a51e4a63037c69bf36f3f093c7dfcb9
objdata_10_off000bd840.bin rtf-objdata-decoded RTF \objdata at offset 0xBD840 26683 bytes
SHA-256: a1d090acd0a6f3bbcfc49ee38be03902f623fb0aebee5d12c9392e04ecd87fd2