Malicious RTF — malware analysis report

Static analysis result for SHA-256 b99ef9e40474d0e4…

MALICIOUS

RTF

441.8 KB Created: 2016-11-27 22:42:00 First seen: 2017-09-14
MD5: b52b12a678660694e123db1cfe45c596 SHA-1: 62184a18353cb52ccbc53b71b2039a4161460602 SHA-256: b99ef9e40474d0e431959d9426504dddd05c4a60cb3831db623efeb317e4febe
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an OLE object that exploits CVE-2017-0199, referencing the remote URL http://rottastics36w.net/template.doc. This indicates the file is designed to download and execute a secondary payload. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls further suggests the execution of downloaded code.

Heuristics 7

  • CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199
    RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.usertrust.com1 In RTF body
    • http://ocsp.usertrust.com0In RTF body
    • https://secure.comodo.net/CPS0CIn RTF body
    • http://ocsp.comodoca.com0In RTF body
    • http://rottastics36w.net/template.docIn RTF body
    • http://crl.usertrust.com/UTN-USERFirst-Object.crl05In RTF body
    • http://crl.comodoca.com/COMODORSACodeSigningCA.crl0tIn RTF body
    • http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$In RTF body
    • http://crl.comodoca.com/COMODORSACertificationAuthority.crl0qIn RTF body
    • http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003178.bin rtf-objdata-decoded RTF \objdata at offset 0x3178 2724 bytes
SHA-256: a6cc612766fee984fa419069b663e5435cc280b0a5b740dd9290b227de3451a7

Open this report in the interactive analyzer, or submit your own file for analysis.