Malicious RTF — malware analysis report

Static analysis result for SHA-256 a06897ba292b9312…

MALICIOUS

RTF

918.5 KB Created: 2018-05-07 02:29:00 First seen: 2018-07-18
MD5: 43dc4222222d8f158cbb688a77f9bb84 SHA-1: c6fd2387b927854fc5096e9df6790e83d8d02524 SHA-256: a06897ba292b93123a89f4c53068c5afe14106e156207377736563fb7f40b001
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c1a.bin rtf-objdata-decoded RTF \objdata at offset 0x2C1A 33339 bytes
SHA-256: 3e611708d3f69e0dc3f4d67965ad9e6117ce1567bb36c5973fbf0fec11f36e0c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b36.bin rtf-objdata-decoded RTF \objdata at offset 0x18B36 33339 bytes
SHA-256: c5e9f0fe2e1d7ab01b66817e0e2b1af4c5d771801548fedf58875d075d239408
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea52.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA52 33339 bytes
SHA-256: 4f648a26ac0df8769ed5298098d26f0aed9d91ab858c18c228ed680dad180e63
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off0004496e.bin rtf-objdata-decoded RTF \objdata at offset 0x4496E 33339 bytes
SHA-256: 0a235a823306ed4e7365056b2b0ff08b2d455dd0c3356c58a568467d5be53519
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a88a.bin rtf-objdata-decoded RTF \objdata at offset 0x5A88A 33339 bytes
SHA-256: 5cc643fd054bf94aed213337fad15c6977f3bf2dfce342f04c43eee881d0078d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707f2.bin rtf-objdata-decoded RTF \objdata at offset 0x707F2 33339 bytes
SHA-256: 386dc620e7970d88d836821b7a7fe8de1ebc9e2c8d9d425fe7b19cf2f26e6729
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0008670e.bin rtf-objdata-decoded RTF \objdata at offset 0x8670E 33339 bytes
SHA-256: ff422c8651cf119666e3d19cb8aa157a426b0bb9c15cd08a5352cb4fa2d5c866
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c62a.bin rtf-objdata-decoded RTF \objdata at offset 0x9C62A 33339 bytes
SHA-256: 64c4f42bdc6d822f0f92c89ab4fcc209e01ac7b40a7c7ec23044ad85990c999f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b2546.bin rtf-objdata-decoded RTF \objdata at offset 0xB2546 33339 bytes
SHA-256: 2817cabe4a51f5d92fefcaa22b078dd6887423ae32f55c0b8f39dd992fba69fb
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c8462.bin rtf-objdata-decoded RTF \objdata at offset 0xC8462 33339 bytes
SHA-256: 5444a659fc172217d1143139695f58f65bee2a0c8ae0d28c1833b9027123e895
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely