Xls.Downloader.Generic-6750544-0 — RTF malware analysis

Static analysis result for SHA-256 c38246534c7e9b6b…

MALICIOUS

RTF

1.35 MB Created: 2018-03-12 22:02:00 First seen: 2018-06-14
MD5: 3ea71c153fbbc886f198c222209205d4 SHA-1: 67ff1383de65d4956bc3b9156f83b815f910fee8 SHA-256: c38246534c7e9b6b710fe0105bd934fb587e1087957c38e6a5b4826b50ba462e
302 Risk Score

Malware Insights

Xls.Downloader.Generic-6750544-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains numerous OLE objects and excessive hex-encoded data, strongly suggesting it hides a payload. Critical heuristics indicate exploitation of CVE-2017-8759 for OLE activation, a known vulnerability used to execute arbitrary code. ClamAV detection as 'Xls.Downloader.Generic-6750544-0' further confirms its malicious nature as a downloader.

Heuristics 7

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1049KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 17 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c44.bin rtf-objdata-decoded RTF \objdata at offset 0x2C44 28731 bytes
SHA-256: 5bb95fcf50b3e67713e530c734533e43782f9fd87d2d22a8ae76c2ee11b7fc2b
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016c84.bin rtf-objdata-decoded RTF \objdata at offset 0x16C84 28731 bytes
SHA-256: 0caae0b80507f3f1f0f29559a2b99876eb0a7363fdb5ae3eb238184c3a5fc215
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off0002acc4.bin rtf-objdata-decoded RTF \objdata at offset 0x2ACC4 28731 bytes
SHA-256: d2ae796d279f4a11ba3b3b859f5c90e2422e30a1e3b94ed88a5360134b2c8e95
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003ed04.bin rtf-objdata-decoded RTF \objdata at offset 0x3ED04 28731 bytes
SHA-256: 133c2661f72a7775168af1ccc0128f095693a9db09d36e2985456a60739cf306
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off00052d44.bin rtf-objdata-decoded RTF \objdata at offset 0x52D44 28731 bytes
SHA-256: dae4d06113e488ab9e6662f2c9bbfaf1aa494860c9b757092b0aa3c04dc48f5c
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00066d84.bin rtf-objdata-decoded RTF \objdata at offset 0x66D84 28731 bytes
SHA-256: ca14b4c286ee424d1e4aefee900ce1f6e785740677383c63f7eaf5a331a3e0bd
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off0007adc4.bin rtf-objdata-decoded RTF \objdata at offset 0x7ADC4 424684 bytes
SHA-256: ed9d199fab24973cb1b877d503923a2856a544f106cf6cc841acffad7759bde0
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_13_off00101349.bin rtf-objdata-decoded RTF \objdata at offset 0x101349 28731 bytes
SHA-256: 57445bb0b0acd9a6e00990859d24d6f746cf4648367acb88448846e0f33d8fd2
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_14_off00115389.bin rtf-objdata-decoded RTF \objdata at offset 0x115389 28731 bytes
SHA-256: b8803864058cb191893ad765af2800588115eef1838b98d6aa5715a59a1951b8
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_15_off001293c9.bin rtf-objdata-decoded RTF \objdata at offset 0x1293C9 28731 bytes
SHA-256: 15900a78394cf9e647997c563e1af8303b6653ddb85bd6aab3eb7efabb55ff65
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_16_off0013d409.bin rtf-objdata-decoded RTF \objdata at offset 0x13D409 28731 bytes
SHA-256: 4e6056bed46e25b262e6c8f831ba61882eb7f18da84612b89fd2082ad74edca3
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely