Malicious RTF — malware analysis report

Static analysis result for SHA-256 a1bff0657a0d7db9…

MALICIOUS

RTF

87.7 KB Created: 2017-11-23 01:06:00 First seen: 2018-12-09
MD5: 8d6e68256bd8f327dc58437b032b6d59 SHA-1: a484f03e63d11756d9c74fee359a9feddf99916c SHA-256: a1bff0657a0d7db96f9fa77cc6997bbcb6a988a69b45250a429fd3b12bd8f32f
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple critical heuristic firings indicating exploitation of CVE-2017-8570 and CVE-2018-0802 via embedded OLE objects and the Equation Editor. These exploits are known to drop SCT scripts, which are then executed to further compromise the system. The presence of OLE object data and specific CLSIDs strongly suggests an exploit chain designed for arbitrary code execution.

Heuristics 5

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00009ead.bin rtf-objdata-decoded RTF \objdata at offset 0x9EAD 709 bytes
SHA-256: b0a0e822ec0284afd6c145ae650529ba3e55ead24f5ee9d23deed33255fc78e7
objdata_01_off0000a68f.bin rtf-objdata-decoded RTF \objdata at offset 0xA68F 949 bytes
SHA-256: 8f8f96d8c0150cd7af834bdcdd61a3bbf7b12d3030af64677e0a3e460cfff23f
objdata_02_off0000b051.bin rtf-objdata-decoded RTF \objdata at offset 0xB051 970 bytes
SHA-256: 8ab8232e32482d2bbc964aeaea02ce169b79a3ee7ef39feb2d9329a4563b1b9e
objdata_03_off0000ba68.bin rtf-objdata-decoded RTF \objdata at offset 0xBA68 3271 bytes
SHA-256: 3e4de491815c0ad3cf30a6f9cb6e81dfae7c19f1bc0f033dcb01ed50ca70124d
objdata_04_off0000d8b5.bin rtf-objdata-decoded RTF \objdata at offset 0xD8B5 2638 bytes
SHA-256: 1bf6aed2b9fbe44cb3897ae976565219033de01afc256a506bdc449db30d1934
objdata_05_off0000efff.bin rtf-objdata-decoded RTF \objdata at offset 0xEFFF 4682 bytes
SHA-256: 7374646f78317becf226627725615809d2473862dd0059ab569de305e0472932
objdata_06_off00011733.bin rtf-objdata-decoded RTF \objdata at offset 0x11733 3980 bytes
SHA-256: 49bf7c128e70aeebe86af2369fbfe29ee2ff4b462e5ac4d4d69d8d0b3a342da2
objdata_07_off000138ed.bin rtf-objdata-decoded RTF \objdata at offset 0x138ED 2601 bytes
SHA-256: f27144b06d7046e0a340b06bbe8a43eac55c1e036a211b284096608c0a1beced

Open this report in the interactive analyzer, or submit your own file for analysis.