Malicious RTF — malware analysis report

Static analysis result for SHA-256 9755eacce9b80f55…

MALICIOUS

RTF

977.2 KB Created: 2018-03-31 16:10:00 First seen: 2018-04-23
MD5: 96828ba6c1491266e5329a2b4ce64b06 SHA-1: 1ab678f2f17360c340f6cb903efad85ce7d305d2 SHA-256: 9755eacce9b80f55c41628ab0373c0fbf7b5f5f5b9960b7a3805e714f6915cb9
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c47.bin rtf-objdata-decoded RTF \objdata at offset 0x2C47 27707 bytes
SHA-256: bcb4595c835420396f43e2e8d91a524930e80b437e24459f98229fd24f9b512f
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00016478.bin rtf-objdata-decoded RTF \objdata at offset 0x16478 27707 bytes
SHA-256: 10c034bcda93bfcd582a4cae4e28c29811dccfb425ea53a13d7b8422c5f78819
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00029ca9.bin rtf-objdata-decoded RTF \objdata at offset 0x29CA9 27707 bytes
SHA-256: cdef19c665f86185b289ce8e80aa4ee8e9b4f0832e0f6ecddec3f3e19786e8d3
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off0003d4da.bin rtf-objdata-decoded RTF \objdata at offset 0x3D4DA 27707 bytes
SHA-256: 688f3e7be00479215097793dc1765486a27a65fd1567aef62149166ff0e8b6de
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00050d0b.bin rtf-objdata-decoded RTF \objdata at offset 0x50D0B 27707 bytes
SHA-256: 987c8551a980c4bd774d44532188a37e49bc23ec6b8dad07466e58b6c288c967
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off0006453c.bin rtf-objdata-decoded RTF \objdata at offset 0x6453C 27707 bytes
SHA-256: de4dd3c8307f6052aad8996f32909f02bdfd3ca9bc1cd9aee3ddc7529a7251d1
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00077d6d.bin rtf-objdata-decoded RTF \objdata at offset 0x77D6D 27707 bytes
SHA-256: 524b987b92fdaf9599989d24744bf3bb3757eef2260aec447a19294540d9c800
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off0008b59e.bin rtf-objdata-decoded RTF \objdata at offset 0x8B59E 27707 bytes
SHA-256: 59851d85339597c55444b2aa8093204305e976a83dcadaa1258f1664ca505b52
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0009edcf.bin rtf-objdata-decoded RTF \objdata at offset 0x9EDCF 27707 bytes
SHA-256: 21ff76393e701889a4e57d886d1a128c922c07642ba42532a36b18b71ec54ee6
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000b2600.bin rtf-objdata-decoded RTF \objdata at offset 0xB2600 27707 bytes
SHA-256: 10693cd9da6595204c819bb09f573773e00786c56e638d5875c406711d69285c
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_10_off000c5e31.bin rtf-objdata-decoded RTF \objdata at offset 0xC5E31 27707 bytes
SHA-256: 6d747874eb4c012719abc6d6cf8f498ce0fe1bc00255910d67c9bb6e9d8c5172
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_11_off000d9662.bin rtf-objdata-decoded RTF \objdata at offset 0xD9662 27707 bytes
SHA-256: ebadbd7fab5c2ce05ec1bc3f988e126bdab29100b1f1ef705d1c24ee20948d88
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely