Malicious RTF — malware analysis report

Static analysis result for SHA-256 b21af02be828ca6a…

MALICIOUS

RTF

1.27 MB First seen: 2018-11-20
MD5: 92a94483ce62d919b87d3afce5001358 SHA-1: e6d890b42e364d642157eb6cc779360fea78d24f SHA-256: b21af02be828ca6a8ddfe3c030d72fd24e3e453abc27f892e55266e6e97c9627
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of exploitation for CVE-2017-8570, including the presence of OLE objects, composite monikers, and objdata sections. This vulnerability is known to be used to drop and execute script files, likely leading to further malicious activity. The embedded URLs are confirmed benign and no document body or script content was extracted to provide further context.

Heuristics 7

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1155KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 9 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.digicert.com0O In RTF body
    • http://ocsp.digicert.com0CIn RTF body
    • https://www.digicert.com/CPS0�In RTF body
    • http://crl3.digicert.com/sha2-assured-ts.crl02�0�.�,http://crl4.digicert.com/sha2-assured-ts.crl0��In RTF body
    • http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0In RTF body
    • http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0��In RTF body
    • http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:�8�6�4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0PIn RTF body
    • https://www.digicert.com/CPS0In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000025.bin rtf-objdata-decoded RTF \objdata at offset 0x25 205 bytes
SHA-256: 980870ba17beb12f03c3941a0cfa655d820816cec9104090156a6ea6ece5ce8a
objdata_01_off000001ee.bin rtf-objdata-decoded RTF \objdata at offset 0x1EE 577811 bytes
SHA-256: 74d3ba1c12f088a135e5f5a7376e67232a31fb9f179b05751a6c572633e60387
objdata_02_off00132a7b.bin rtf-objdata-decoded RTF \objdata at offset 0x132A7B 1004 bytes
SHA-256: de57d2083ef5e021ec705be7e3dd4b0e90d1d2f7950e0bc7ffde2709f639f965
objdata_03_off0013328c.bin rtf-objdata-decoded RTF \objdata at offset 0x13328C 31676 bytes
SHA-256: 8e1be3feb782a829ff258a0e054e4c260ab6864e307e975e6874709ef91bf7cf
objdata_04_off00142a3c.bin rtf-objdata-decoded RTF \objdata at offset 0x142A3C 359 bytes
SHA-256: 357be353baa88dc3743707bade3b7e68e8e017f02553817dd77495fda9a64957
objdata_05_off00142d46.bin rtf-objdata-decoded RTF \objdata at offset 0x142D46 866 bytes
SHA-256: 5d0695c0b0c9feed62b1faa3e75242a3007ac483afd76a69c04e9ed6b9541365
objdata_06_off00143488.bin rtf-objdata-decoded RTF \objdata at offset 0x143488 2633 bytes
SHA-256: fe11c27d916ab897eb94064e9631d8a29c847a6db39259bef31578da8d19fdf5
objdata_07_off001449a0.bin rtf-objdata-decoded RTF \objdata at offset 0x1449A0 2601 bytes
SHA-256: 67ff079a9b0f053ca2843811d9da7a8fdedc7d9d377ef39d09dde148b9657c7f

Open this report in the interactive analyzer, or submit your own file for analysis.