Malicious RTF — malware analysis report

Static analysis result for SHA-256 95097c4aeb9e777a…

MALICIOUS

RTF

382.7 KB Created: 2022-06-15 11:31:00 First seen: 2022-06-17
MD5: a7bdbe3fd3ddc8cae4a7eb2569169b38 SHA-1: 18776d6139f6f0c74ec400126f2b4983c325aba4 SHA-256: 95097c4aeb9e777a5be7537ff8f8ea4956a181db0854ba18250e7e7432ccd5fc
224 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1559.001 Component Object Model Hijacking

The RTF file contains multiple indicators of malicious OLE object embedding and activation, including RTF_OBJDATA, RTF_OBJEMB, RTF_OBJUPDATE, and RTF_OBJCLASS_PACKAGE heuristics. Crucially, the CVE-2017-8759 heuristic indicates exploitation of a known vulnerability in MSXML SAX OLE activation. This suggests the file is designed to leverage this vulnerability to execute arbitrary code upon opening. No scripts were extracted, and the document body is minimal, but the OLE object exploitation is a strong indicator of malicious intent.

Heuristics 8

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/wo

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008065.bin
07258a8f6e5b101909175a7f145d53fcc0c417e1de78b2bbb3558ab79141ecf1		 rtf-objdata-decoded RTF \objdata at offset 0x8065 167871 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off0005af44.bin
47c2830b7a94640f5dc9676b97e71dbde74ef6b78524b88a36ef4b22e2e7a412		 rtf-objdata-decoded RTF \objdata at offset 0x5AF44 8896 bytes
objdata_02_off0005af5e.bin
2c0f07b2a6f4551cfad6db1c662c46a09272c76f2298454bce6c42bc3f3a1640		 rtf-objdata-decoded RTF \objdata at offset 0x5AF5E 8892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.