Malicious RTF — malware analysis report

Static analysis result for SHA-256 ac521bf821a44670…

MALICIOUS

RTF

918.5 KB Created: 2018-05-07 First seen: 2018-07-14
MD5: 970d82ab514f4f79e826a5c8c91abd7e SHA-1: 568afab4c2f0e4e7f356ceb429612760afcf830a SHA-256: ac521bf821a446704ed4c74900bbf9a9f136417bcfde51e6eab2b8531458e4b3
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects and triggers a critical heuristic for CVE-2017-8759, indicating exploitation of MSXML SAX OLE activation. ClamAV also identifies the file as a dropper, suggesting it's designed to download and execute a secondary payload. The presence of embedded OLE objects and the specific CVE exploit point towards a malicious document intended for initial compromise.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c10.bin rtf-objdata-decoded RTF \objdata at offset 0x2C10 33339 bytes
SHA-256: 51f3a2a1b1bb77db5d81537d9a6b43899e664c437f2b5a0213df90a5e5cb11a6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b2b.bin rtf-objdata-decoded RTF \objdata at offset 0x18B2B 33339 bytes
SHA-256: c3f4625699bc8d8d2dbc91a6b278792f929040527458015fd09a499577b3ff0c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea46.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA46 33339 bytes
SHA-256: bb13fd6d5e32d0767bd21b5c926d85603ba4654f40f8f80c20be73c952736fe6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044961.bin rtf-objdata-decoded RTF \objdata at offset 0x44961 33339 bytes
SHA-256: cb0fd165d15239c8ffd9762d4eeeb2a618bc801e3ad9988ef540233147ce20c6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a87c.bin rtf-objdata-decoded RTF \objdata at offset 0x5A87C 33339 bytes
SHA-256: c35f02ea1b9f789482be5e14d16d42cf8516d22d54dc8bbf72112b20ce395fca
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707e3.bin rtf-objdata-decoded RTF \objdata at offset 0x707E3 33339 bytes
SHA-256: a5718872d64ca1899f96979b3d5d7cdf334371144ca9084e9f63cdefec185b91
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off000866fe.bin rtf-objdata-decoded RTF \objdata at offset 0x866FE 33339 bytes
SHA-256: 73814a36e75f088073a47cb333aeb1872ed973f42b9dfe3be3c6e0c92d104481
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c619.bin rtf-objdata-decoded RTF \objdata at offset 0x9C619 33339 bytes
SHA-256: 8a8471688334b47c879038248f122e874f37e2c8c9eb3fe707759be0fa0d55df
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b2534.bin rtf-objdata-decoded RTF \objdata at offset 0xB2534 33339 bytes
SHA-256: ada42804c46ebc24989e5af67d1f5492c84b93970a4db0dcc907c78d43804e5c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c844f.bin rtf-objdata-decoded RTF \objdata at offset 0xC844F 33339 bytes
SHA-256: 6f87fca5dbe72c512608bc34a0343f1145fd12336264b39c3b3cbfba114f38a1
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely