Malicious RTF — malware analysis report

Static analysis result for SHA-256 b9076da6f1d82207…

MALICIOUS

RTF

201.2 KB First seen: 2015-09-30
MD5: 8a825d27ed201d2742fa0dde7e030e50 SHA-1: 676a20dfee9734ae0d8015bd9dd36eaf0f52d2a5 SHA-256: b9076da6f1d8220719150859b4f8a8b6d36dc7337f3f1a8f5eab48e5e753fdbe
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data, which is a known vector for exploiting vulnerabilities such as CVE-2012-1856 and CVE-2012-0158. This indicates the file is designed to execute arbitrary code when opened, likely delivered via spearphishing.

Heuristics 2

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE related CVE_2012_1856
    RTF \objdata decodes to OLE data containing the MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a54.bin rtf-objdata-decoded RTF \objdata at offset 0xA54 8423 bytes
SHA-256: a775251c84bcaf427dd403bdf18bce893ddc5414982c7100ad1e1c64f274e5b7

Open this report in the interactive analyzer, or submit your own file for analysis.