Malicious RTF — malware analysis report

Static analysis result for SHA-256 ba52899995d40713…

MALICIOUS

RTF

737.1 KB Created: 2018-04-27 01:23:00 First seen: 2019-04-18
MD5: 152934da09055470e558e8919833659e SHA-1: d6fdec4ba9255cedbac57c80d208577ea4b39f4c SHA-256: ba52899995d407132c3f99745fd13825398c7397e3dd9b5f95888129642b8441
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c1c.bin rtf-objdata-decoded RTF \objdata at offset 0x2C1C 24123 bytes
SHA-256: 5a75d5be307002380868ea9a93ffe9b372b178c77272b95a4ed1d0ab400be862
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off000142a6.bin rtf-objdata-decoded RTF \objdata at offset 0x142A6 24123 bytes
SHA-256: 17c86932da93c3199efc61aea6f316707881da8e50d583982178a6ae3d14e02b
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off00025930.bin rtf-objdata-decoded RTF \objdata at offset 0x25930 24123 bytes
SHA-256: a70aec69f56c7166e3cd3a36b61df1d399cdda6fa39a0a6d3f72c92dfb0c40e4
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00036fba.bin rtf-objdata-decoded RTF \objdata at offset 0x36FBA 24123 bytes
SHA-256: 7372ce007989f67be84539cb9f478a6fb91f39a8c7368879027d0416c6158bae
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off00048644.bin rtf-objdata-decoded RTF \objdata at offset 0x48644 24123 bytes
SHA-256: 940362a067647a6ff2953e8c4d274f178f78a85a7e03a3e2ea1400d96a60421f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off00059d1a.bin rtf-objdata-decoded RTF \objdata at offset 0x59D1A 24123 bytes
SHA-256: 4ea62fedf8abff38893b9c05dde8bcef84b1be4f1f374c4f2ab5561da1a14fd5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006b3a4.bin rtf-objdata-decoded RTF \objdata at offset 0x6B3A4 24123 bytes
SHA-256: c93dbbc6bbcb8cd436f9fd433049504cd4d81d2f6a7c5dcf98458801fee5858f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007ca2e.bin rtf-objdata-decoded RTF \objdata at offset 0x7CA2E 24123 bytes
SHA-256: fda022cc60e440ce81bed29d2904f7418c7e8b1b1389670bc11beca5111c58c7
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off0008e0b8.bin rtf-objdata-decoded RTF \objdata at offset 0x8E0B8 24123 bytes
SHA-256: 2e9dc0d84fec7ee94cf617e8b60319aac9ac74b5382e64f9a2e75bc693f5b055
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off0009f742.bin rtf-objdata-decoded RTF \objdata at offset 0x9F742 24123 bytes
SHA-256: 2a1076a85496bf3d7bc6554daad40826446d33592ee5961df3451ffa6b6de0e4
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely