RTF malware analysis — malicious · 9d6f9c44d340ab00

MALICIOUS

RTF

37.7 KB Created: 2018-01-14 20:10:00 First seen: 2018-01-23

MD5: 28793c991b78e6186782253e103fc42d SHA-1: a24071b7059a4ba3e32656bc1d6eaec0ea62e114 SHA-256: 9d6f9c44d340ab00282d7c74b2cbc4ce4b7ab3ffa8fb744194d37c6c35f4ed19

122 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an OLE object that exploits CVE-2017-0199, a known vulnerability for remote code execution. The exploit targets the URL http://dropcanvas.com/e7ept/1 to download and execute a secondary payload. This indicates a malicious document likely delivered as a spearphishing attachment.

Heuristics 4

CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199

RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://dropcanvas.com/e7ept/1 In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000028da.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x28DA	3640 bytes
SHA-256: `24cc779b6fe804fd732b1093d855aea53c900dedadee94bc337556e9285fd92b`

Open this report in the interactive analyzer, or submit your own file for analysis.