Malicious RTF — malware analysis report

Static analysis result for SHA-256 962209d779d8dd4f…

MALICIOUS

RTF

337.4 KB Created: 2017-09-21 16:27:00 First seen: 2017-10-10
MD5: 9ae8902c6dc9ada8979b690b46f3d5d6 SHA-1: fae97fe0cb0de485f42d9e20ffff6c20dd1f5222 SHA-256: 962209d779d8dd4f258448c8c8e720f9fcb30292e19eea8b060c94f7b6f87cb3
202 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects and triggers critical heuristics for CVE-2017-8759 (SOAP Moniker RCE) and ClamAV detection as a downloader. This indicates the file is designed to exploit this vulnerability to download and execute a secondary payload. The embedded URL, though benign, is noted.

Heuristics 6

  • SOAP Moniker — CVE-2017-8759 (SOAP WSDL RCE) critical CVE related CVE_2017_8759
    RTF \objdata decodes to OLE data containing the SOAP Moniker — CVE-2017-8759 (SOAP WSDL RCE) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • OLE object data medium RTF_OBJDATA
    RTF contains 13 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/wor In RTF body

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002e5c.bin rtf-objdata-decoded RTF \objdata at offset 0x2E5C 5808 bytes
SHA-256: e0aa8f45b40261b0f641007f515f140788dfb811974ee556827d0426d0617fb8
objdata_01_off00008e91.bin rtf-objdata-decoded RTF \objdata at offset 0x8E91 5776 bytes
SHA-256: bdf7b2d0ed9042b42226d047a1214d245806df9ab02bf059fa5515770b22276d
objdata_02_off0000e9ee.bin rtf-objdata-decoded RTF \objdata at offset 0xE9EE 5776 bytes
SHA-256: c6bdd36ba41280e9153be55ba753817f8bb2234136027158e09d1a5f16c1b464
objdata_03_off0001454b.bin rtf-objdata-decoded RTF \objdata at offset 0x1454B 5776 bytes
SHA-256: 6c123a3dc3ad29351891f65c44b1dc7d9fd0f1bd9b6578557a03369eb910f2f2
objdata_04_off0001a0a8.bin rtf-objdata-decoded RTF \objdata at offset 0x1A0A8 5776 bytes
SHA-256: 8532153ffa1c340309288b34eb5c51cb3064e77fa45889a7b8228a415e6f1e22
objdata_05_off0001fc05.bin rtf-objdata-decoded RTF \objdata at offset 0x1FC05 5776 bytes
SHA-256: 06e30a350b514e0853a61e6051163771348bac93208ba7727115b8f222c13063
objdata_06_off00025762.bin rtf-objdata-decoded RTF \objdata at offset 0x25762 5776 bytes
SHA-256: 90880b0a3c2e588733cf685d0caa6907d8338830400260228026c56fd4cb655a
objdata_07_off0002b2bf.bin rtf-objdata-decoded RTF \objdata at offset 0x2B2BF 5776 bytes
SHA-256: 969939358f075e95f928a2f69676c5b24733dffcf2048cd54a2333e70f636007
objdata_08_off00030e1c.bin rtf-objdata-decoded RTF \objdata at offset 0x30E1C 5776 bytes
SHA-256: d7de6e2b84d4dc9463030ef853b7e6fa004cebe17400f3db738dfbbf838b0106
objdata_09_off00036979.bin rtf-objdata-decoded RTF \objdata at offset 0x36979 5776 bytes
SHA-256: 444cb644b7f56ef9be271c32c0bf5853d92ed70c80ea6735a0293b185967e2c5
objdata_10_off0003c4d6.bin rtf-objdata-decoded RTF \objdata at offset 0x3C4D6 5776 bytes
SHA-256: 06bb83f35da4f9cfcd70b75f1cb1ffc56f9fd13918bd30ea879e30b4e75bd88c
objdata_11_off00042033.bin rtf-objdata-decoded RTF \objdata at offset 0x42033 5776 bytes
SHA-256: 9cfd81f9c06607728fdd7f418279a06b2618630f9635556ef06b43cd10ef761b
objdata_12_off00047d4c.bin rtf-objdata-decoded RTF \objdata at offset 0x47D4C 5776 bytes
SHA-256: 9ea057f819f068011b64876c154f27c7e2969877f1032342d28e3cc18985ff5c