Malicious RTF — malware analysis report

Static analysis result for SHA-256 bf16e722984f266e…

MALICIOUS

RTF

2.22 MB Created: 2019-09-17 13:59:00 First seen: 2020-06-01
MD5: 8eff8dc524140044e7193e5e816a9134 SHA-1: ea88f4f8d57b5c2a316d15533cd5ea5ebb043b19 SHA-256: bf16e722984f266ed24480bbf2c796cd9cb6104324b066d6e086628c1b4d4b77
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and triggers an objupdate directive, indicating an attempt to activate these objects. The critical heuristic firing for CVE-2017-8759 confirms exploitation of this vulnerability for OLE activation. This suggests the file is designed to execute arbitrary code, likely by downloading a secondary payload.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off002291a2.bin rtf-objdata-decoded RTF \objdata at offset 0x2291A2 1413 bytes
SHA-256: 3f5067dfdbb25038836ac0bd9004b858f0c3e21eb8bb7d77836c1eb4b7cd863c

Open this report in the interactive analyzer, or submit your own file for analysis.