Malicious RTF — malware analysis report

Static analysis result for SHA-256 bc7235cbba0eb50a…

MALICIOUS

RTF

50.0 KB Created: 2018-04-12 12:42:00 First seen: 2019-04-18
MD5: 4f6c99547a4e70791b8806aabb90e7b9 SHA-1: 24573bc3b7046bd1ef517d5bc005f37b995e1bef SHA-256: bc7235cbba0eb50a6417b31631e71d37b2728f4f8e2b6e6dabe4a761ee310855
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and is configured to automatically update and activate an embedded OLE object. This behavior is indicative of exploitation for client execution, specifically leveraging CVE-2017-0199 to fetch a remote resource. The embedded URL 'http://10.99.11.53/htatest/alert.txt' is likely the location of a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199
    RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://10.99.11.53/htatest/alert.txt In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c98.bin rtf-objdata-decoded RTF \objdata at offset 0x2C98 3202 bytes
SHA-256: a5fd5985f23ee2115d4ce90486f74e1a040d5ee156c878ddba9b8d21d9e8ab4f

Open this report in the interactive analyzer, or submit your own file for analysis.