Malicious RTF — malware analysis report

Static analysis result for SHA-256 b8c9585629294111…

MALICIOUS

RTF

143.9 KB Created: 2021-01-20 03:05:00 First seen: 2021-05-29
MD5: f5309bbb86912bca6f31110a309adb34 SHA-1: 66b1cbf52a435b9a2e6b324437900b016585088c SHA-256: b8c95856292941111fc062a2493220f877eea593642693f614872890e6792533
282 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple embedded OLE objects, including a package object, and utilizes \objupdate to force activation. Crucially, it exploits CVE-2017-8759, a vulnerability in MSXML SAX, which allows for arbitrary code execution. The presence of a URL moniker related to a CHM file suggests a payload delivery mechanism.

Heuristics 9

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 13 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://localhost/index0001.htm In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00009833.bin rtf-objdata-decoded RTF \objdata at offset 0x9833 3173 bytes
SHA-256: 8f422165c4169d85dff9e55f2700b3592791d62b617e6b5e17d006c8eb435da4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
objdata_01_off0000b1a4.bin rtf-objdata-decoded RTF \objdata at offset 0xB1A4 469 bytes
SHA-256: 7ee7c46ab31f4673defd22af1a3ff4bca0d7e3ddf66e276ce6953e54017fe004
objdata_02_off0000b5f5.bin rtf-objdata-decoded RTF \objdata at offset 0xB5F5 12296 bytes
SHA-256: c082d0576c55680f953cb9c3d4b3fec2dfe4cea718d39c8b619846046e9da2ee
objdata_03_off000116b0.bin rtf-objdata-decoded RTF \objdata at offset 0x116B0 3714 bytes
SHA-256: ae3dee7e6631e2b47aabe1f50a024b908e8275ab789ed04de3020e1526565032
objdata_04_off00013469.bin rtf-objdata-decoded RTF \objdata at offset 0x13469 3714 bytes
SHA-256: 810066bad51895e758df6b2d592b179737170037f9dae2246eb6f8b767847fc0
objdata_05_off00015222.bin rtf-objdata-decoded RTF \objdata at offset 0x15222 3714 bytes
SHA-256: df8219a7ca8e8fc6cf31220e6e38fc2b0879fa2ab272e9d78ac706e69afb5804
objdata_06_off00016fdb.bin rtf-objdata-decoded RTF \objdata at offset 0x16FDB 3714 bytes
SHA-256: 04b3d726caa78588103810167c5eeab0376f008b1c3bf8b3f29af7f98d2b4bb3
objdata_07_off00018d94.bin rtf-objdata-decoded RTF \objdata at offset 0x18D94 3714 bytes
SHA-256: eb48bf4c6a64d16b4753ac4219c79b60a92036a40d954633140e9f7d644b50a2
objdata_08_off0001ab4d.bin rtf-objdata-decoded RTF \objdata at offset 0x1AB4D 3714 bytes
SHA-256: 91d90907455ecaf9bfb0a42d109a351236db4f43675c70634ea8e1fd4f7772e5
objdata_09_off0001c906.bin rtf-objdata-decoded RTF \objdata at offset 0x1C906 3714 bytes
SHA-256: 9d68ad2bf2aa8adc97fe8237eee10816b31c619dc83f7ea4cb9243edac02ecc0
objdata_10_off0001e6bf.bin rtf-objdata-decoded RTF \objdata at offset 0x1E6BF 3714 bytes
SHA-256: 9be93655c952555130af6facf7bc947edef3d23a541fa6405a4a38da34edc7a0
objdata_11_off00020478.bin rtf-objdata-decoded RTF \objdata at offset 0x20478 3714 bytes
SHA-256: 515a643d6f1186dd0049d7032046f304efd1b6be8c53c19b868c14407442c6a2
objdata_12_off00022231.bin rtf-objdata-decoded RTF \objdata at offset 0x22231 3714 bytes
SHA-256: 7823c2377fbec340ceee99e3070e4fe78dac4f8ec8befb20bd018ade4b759f68