Malicious RTF — malware analysis report

Static analysis result for SHA-256 9992819bc50b0ebb…

MALICIOUS

RTF

126.5 KB Created: 2019-01-20 14:19:00 First seen: 2019-04-18
MD5: 5066f6d53b67b7a551d2b84f80c8d1c9 SHA-1: fe51366c5558f54c8448ae292e209a174d1aab7e SHA-256: 9992819bc50b0ebba6bd9f901445696ae7eece7bc2e4f5de0a0ff73c4d68448e
202 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of malicious activity, including embedded OLE objects and specific heuristics pointing to the Equation Editor vulnerability (CVE-2017-8759). The presence of shellcode API strings within an extracted artifact further suggests the execution of arbitrary code. This pattern is consistent with exploiting a known vulnerability to deliver a secondary payload.

Heuristics 6

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000116d9.bin rtf-objdata-decoded RTF \objdata at offset 0x116D9 8592 bytes
SHA-256: 67ff0449c56810ed91342d38f4bcc93b13e25946a55d6fed92fc2708e3e82c64
objdata_01_off00015aa9.bin rtf-objdata-decoded RTF \objdata at offset 0x15AA9 6841 bytes
SHA-256: 4ae82c1a309daeb1f275c17cac194a77ad74999b4c0ff1a8f16ca57c4f14dcfb
objdata_02_off000193c9.bin rtf-objdata-decoded RTF \objdata at offset 0x193C9 12923 bytes
SHA-256: b5bfdcf68d6d0fde6b9c62cbf7c4dd2e691ff0afc681c3076145c9b1d22a9f94
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_URLDOWNLOAD, SC_PEB_ACCESS Static shellcode analysis recovered API/import strings: LoadLibraryW, GetProcAddress, URLDownloadToFileW, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.