Malicious RTF — malware analysis report

Static analysis result for SHA-256 c09cd82dd5944d89…

MALICIOUS

RTF

467.5 KB Created: 2019-10-15 22:59:00 First seen: 2020-02-04
MD5: e3c9c823aa0e0f5c0a5eb9b426576985 SHA-1: 07583b6ea3818175715f34a0e6d7fe0d5aae8c1a SHA-256: c09cd82dd5944d898feca25807cb089a81a4e8abf9801d97fe1fea7030414fb0
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object that exploits CVE-2017-8759, a known vulnerability in MSXML SAX. The presence of ` ef` and ` onttbl` with embedded OLE object data, along with references to Windows Script Host, indicates an attempt to execute arbitrary code. The file likely serves as a spearphishing attachment designed to exploit this vulnerability and download a secondary payload.

Heuristics 6

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003055.bin rtf-objdata-decoded RTF \objdata at offset 0x3055 28426 bytes
SHA-256: f46ede0869215abe655d756cbd65086142bbb42874b900e759485f9f43dc7c53

Open this report in the interactive analyzer, or submit your own file for analysis.