Malicious RTF — malware analysis report

Static analysis result for SHA-256 c0406355b3ba969e…

MALICIOUS

RTF

7.26 MB Created: 2015-03-03 21:27:00 First seen: 2019-02-10
MD5: 5d676eeeb40662d2021dbc8eeb77b81c SHA-1: dcabb4307cf1a5854c691ff11e2890bf7c7d2a49 SHA-256: c0406355b3ba969e4943f2f6e4c8125ca89ed0ccc672765e2ef88a02d659800b
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects and excessive hex-encoded data, strongly indicating the presence of embedded malicious content. Heuristics confirm the exploitation of CVE-2012-0158, a known vulnerability in MSCOMCTL.ListView, which is often used to execute arbitrary code. The presence of a suspicious URL pointing to a .exe file suggests a downloader for a second-stage payload.

Heuristics 8

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Rtf.Exploit.CVE_2012_0158-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2012_0158-18
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~4474KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nextgenss.com/papers.htm In RTF body
    • http://www.spidynamics.com/support/whitepapers/In RTF body
    • http://www.appsecinc.com/techdocs/whitepapers.htmlIn RTF body
    • http://www.atstake.com/research/advisoriesIn RTF body
    • http://www.sqlsecurity.comIn RTF body
    • HTTP://myfishdown.com/upd/pn_stub2.exeIn RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
    • http://www.owasp.orgIn RTF body
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body
    • http://www.securityfocus.com/infocus/1768In RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0045d35a.bin rtf-objdata-decoded RTF \objdata at offset 0x45D35A 904737 bytes
SHA-256: 972941f1556ccea59f2067ae14c317e9a7a800fd9c0d46430e5e187693d252ab
objdata_01_off00660b64.bin rtf-objdata-decoded RTF \objdata at offset 0x660B64 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_02_off0066937a.bin rtf-objdata-decoded RTF \objdata at offset 0x66937A 269857 bytes
SHA-256: a6ba9cf70f6cd5c85c38cc02b59f20925729f25fa750a4e329b93d779082e21e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS
objdata_03_off00671d3f.bin rtf-objdata-decoded RTF \objdata at offset 0x671D3F 269406 bytes
SHA-256: fe0e8bb4ff48f72cfb926510bd4d7ac93d8a7938d29bb8cc191144bff65e4bca

Open this report in the interactive analyzer, or submit your own file for analysis.