Malicious RTF — malware analysis report

Static analysis result for SHA-256 af84b24296b2b57b…

MALICIOUS

RTF

841.3 KB Created: 2018-03-12 22:53:00 First seen: 2018-06-21
MD5: 8a6f4b37ed36ae1d6035868ddaf6d2b7 SHA-1: d6a1101effa8d19e5fe969ab90d817cd856ef505 SHA-256: af84b24296b2b57b02e0780ce1a6a0072fe4d27d8610392403b446c62b817f62
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c53.bin rtf-objdata-decoded RTF \objdata at offset 0x2C53 28731 bytes
SHA-256: acd3b996db9ac87c9ddbbeb18c534012ac2b680076ed8f3b612eb39b0f1ff4b8
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016c9a.bin rtf-objdata-decoded RTF \objdata at offset 0x16C9A 28731 bytes
SHA-256: 7a0c7edcc1075841cf74782d360c0db71d19ad7392ea3fd461bfb19cea0f1bc9
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003ed28.bin rtf-objdata-decoded RTF \objdata at offset 0x3ED28 28731 bytes
SHA-256: e2ed7e06d23f7526d455f018fcbb7ee3fec2ed87d31d3967f2d6f1bbce5016dd
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off00052d6f.bin rtf-objdata-decoded RTF \objdata at offset 0x52D6F 28731 bytes
SHA-256: 12993f6db0e2b211ec1b52c2f3e2704845fc5677a9ab3d0b5034e8185c92213a
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off0007adfd.bin rtf-objdata-decoded RTF \objdata at offset 0x7ADFD 28731 bytes
SHA-256: 39a3a6bca38c944869f6fc4abfc87fb0b1405bd2d2810556c941c11faa29f60f
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a2e8b.bin rtf-objdata-decoded RTF \objdata at offset 0xA2E8B 28731 bytes
SHA-256: 55767a34d5e7e10412c279cefd9bb00d721dff87e65cd1fb2e49df72e57e97b6
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely