Malicious RTF — malware analysis report

Static analysis result for SHA-256 a1f3388314c4abd7…

MALICIOUS

RTF

122.9 KB Created: 2017-11-23 01:06:00 First seen: 2018-10-07
MD5: 123db52ae79f0262e52cf674cc1b75fa SHA-1: 73e7fd7def07445fcad92c6322f8e9a228f42aca SHA-256: a1f3388314c4abd7b1d3ad2aeb863c9c40a56bf438c7a2b71cbcff384d7e7ded
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of exploitation, specifically related to the Equation Editor and OLE object activation. ClamAV detection confirms this as Rtf.Exploit.CVE_2018_0802-6825822-0, a known vulnerability. The embedded URL is likely used for payload delivery or C2 communication.

Heuristics 5

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mail.halcyonih.com/humans.txt In RTF body
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00007803.bin rtf-objdata-decoded RTF \objdata at offset 0x7803 2482 bytes
SHA-256: 8cca0df8fde3e6948dcc01b396bed09aa966da63e95116539ab29c743556aaf1
objdata_01_off00008db5.bin rtf-objdata-decoded RTF \objdata at offset 0x8DB5 498 bytes
SHA-256: be22a0c642be5612eb12acc6d77b6f4afeebdcfff43eeddfa7af1a806433b8ad
objdata_02_off000093e7.bin rtf-objdata-decoded RTF \objdata at offset 0x93E7 721 bytes
SHA-256: b4527370f08f121c5c4769b327cdf27410a332f5b6a170ca3732b5c666f97e6a
objdata_03_off00009bd7.bin rtf-objdata-decoded RTF \objdata at offset 0x9BD7 22768 bytes
SHA-256: a74e0ac12388bf76aef1b318d3c8b6ec2ade70eacbe66f8c76dd0d9bf41f986c
objdata_04_off00015013.bin rtf-objdata-decoded RTF \objdata at offset 0x15013 2637 bytes
SHA-256: 2f6cd011e3501399342304532d4cea260d6861819cc3ab2d2130a4be1d02028c
objdata_05_off00016827.bin rtf-objdata-decoded RTF \objdata at offset 0x16827 4681 bytes
SHA-256: 12fbca07828175ae9abd77fcba440e736d52aea6fb09de9037af91a8d578aba5
objdata_06_off00019032.bin rtf-objdata-decoded RTF \objdata at offset 0x19032 3979 bytes
SHA-256: f3528b66dcd6d02d089974bcf7a52fc381260cf478c10c0193844d0a43d26f4e
objdata_07_off0001b2c3.bin rtf-objdata-decoded RTF \objdata at offset 0x1B2C3 2600 bytes
SHA-256: 7cbe15c9464df0f44734b766848c153074d5484a8c4481846f1d63493490600f