Malicious RTF — malware analysis report

Static analysis result for SHA-256 beade1adfd33b691…

MALICIOUS

RTF

918.5 KB Created: 2018-05-10 16:06:00 First seen: 2019-11-20
MD5: 1bd07c7bcd0c92abe2ee1c5cb13969fe SHA-1: 420bf10c4d834f3f78b24762bc50cc7325fd7972 SHA-256: beade1adfd33b691e53777248f0419ad63f827a662b099b5c60c3b5acd0cf71d
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c09.bin rtf-objdata-decoded RTF \objdata at offset 0x2C09 33339 bytes
SHA-256: 62e142c3921ef3538c31b910e66e91e44cbec50eac8e2ce69042ed1839f5053e
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b21.bin rtf-objdata-decoded RTF \objdata at offset 0x18B21 33339 bytes
SHA-256: 3239acf674cc29f1b7bd3ff560b3cbe322c77222486869dd95f2db216c24b329
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea39.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA39 33339 bytes
SHA-256: f54b15c7253e485e3082b319c608cf498c362a126bb0b62b8ece9ea0335e24f0
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044951.bin rtf-objdata-decoded RTF \objdata at offset 0x44951 33339 bytes
SHA-256: 56c2c2fb0a2f88612a818f70f77ab94f533c62293818563ecc559017da04be3b
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a869.bin rtf-objdata-decoded RTF \objdata at offset 0x5A869 33339 bytes
SHA-256: 715a70dd17b2a9df742965523cdddaccaab5de268f677387d5a545ac6356ed20
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707cb.bin rtf-objdata-decoded RTF \objdata at offset 0x707CB 33339 bytes
SHA-256: b133f83b3a9b3a4696ef5add44e6cc730c2de646039bf0e57b98a0ddb3dfe57d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off000866e3.bin rtf-objdata-decoded RTF \objdata at offset 0x866E3 33339 bytes
SHA-256: dec1732a77c28ee2763e8475438297c682146691a585a8b6fd45dbea96bcef96
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c5fb.bin rtf-objdata-decoded RTF \objdata at offset 0x9C5FB 33339 bytes
SHA-256: 8c4273bb033fd1ea92308b0570b0c8ffea446a2d9ba1a109b7e384e1b3f056a8
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b2513.bin rtf-objdata-decoded RTF \objdata at offset 0xB2513 33339 bytes
SHA-256: c90a3286dbaf45b40e3b7738cee1873881ad60a6fd4c7dd2ef90d31daca369f9
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c842b.bin rtf-objdata-decoded RTF \objdata at offset 0xC842B 33339 bytes
SHA-256: 8aa3f600ff17d2d7d59d2063ad03ce25cba1f604f434ae86df688566d0a0e1f2
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely