Rtf.Dropper.Agent-7384550-0 RTF malware analysis — malicious · aec798ed8785d79a

MALICIOUS

RTF

953.2 KB Created: 2018-04-18 02:12:00 First seen: 2018-08-05

MD5: fbfb649149b1555143a5763bb3f3824d SHA-1: d15549c2ceadf04017627abc00723b92ada1adb4 SHA-256: aec798ed8785d79a4841fb9db19606236702decba72889b564211f0c20552b8d

202 Risk Score

Malware Insights

Rtf.Dropper.Agent-7384550-0 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object that is activated via \objupdate, exploiting CVE-2017-8759. This technique is commonly used by droppers to download and execute additional malware. ClamAV identified the sample as Rtf.Dropper.Agent-7384550-0, supporting its role as a dropper.

Heuristics 6

CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
ClamAV: Doc.Dropper.Agent-6934317-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6934317-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 12 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002c4d.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2C4D	26683 bytes
SHA-256: `301173707598a6fbdea825de494ec874f295a4becf2e006f75980a6b7fa6c5c6`
`objdata_01_off00015c74.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x15C74	26683 bytes
SHA-256: `77b9de7ca05e2a20613bbe76452877d0155b9302f58546c3f703d917737534ec`
`objdata_02_off00028c9b.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x28C9B	26683 bytes
SHA-256: `3ec5099997f269a67d17cffd47c5156dbc4545d27f0bf554006c892d53c69598`
`objdata_03_off0003bcc2.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3BCC2	26683 bytes
SHA-256: `87d10bd40d07bef99fe09d4a3325be0e3624aabb01923021d9d5071ae50b2970`
`objdata_04_off0004ece9.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x4ECE9	26683 bytes
SHA-256: `aed740199e4662394386f9ac0ddd7a1ace670854a748dfc7ada6f40b74fc4d04`
`objdata_05_off00061d10.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x61D10	26683 bytes
SHA-256: `806fbc9af71e5d148a331346f00862558c765d02a80571cf12f179caec9672b3`
`objdata_06_off00074d83.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x74D83	26683 bytes
SHA-256: `ed11deb7ffbc9bcf695d83282381167c454e2bd313fa0c610cd2170332c543f9`
`objdata_07_off00087daa.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x87DAA	26683 bytes
SHA-256: `642e793586892e24aab5a59a3672eda8022f4a5e22897d8f0e1312e7acc119e1`
`objdata_08_off0009add1.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x9ADD1	26683 bytes
SHA-256: `125c66e2e95cbc5c25b8da57cf0949452bb149dde162f0013f0bddc750395fad`
`objdata_09_off000addf8.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xADDF8	26683 bytes
SHA-256: `cedd7871bb8bb39e69bfd71343264ced942454af8c2fe2ebb0b2094a1ec83162`
`objdata_10_off000c0e1f.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xC0E1F	26683 bytes
SHA-256: `fe07da5fa2aa299a6259af9fbbea31a1f4a1e3847c226d21b189baf24cb40523`
`objdata_11_off000d3e46.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xD3E46	26683 bytes
SHA-256: `539b89d3dec5e66e3d096d941b690facebd6b42feace7a823cc78ea54113e97d`

Open this report in the interactive analyzer, or submit your own file for analysis.