Malicious RTF — malware analysis report

Static analysis result for SHA-256 c3aa42098908d9e5…

MALICIOUS

RTF

921.4 KB Created: 2018-03-12 22:15:00 First seen: 2018-06-25
MD5: 46a1e489cc41b2a97aa9d2e9d91eb300 SHA-1: a205f88bba95399953f35836892c5ca12fddc370 SHA-256: c3aa42098908d9e51e3c824ce50bf4b9c9a80e1df2f8d4dca19c5e40b63a85b5
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 11 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c52.bin rtf-objdata-decoded RTF \objdata at offset 0x2C52 28731 bytes
SHA-256: 55e3af4d09b56994b490ea53d6263ea0897c75d859c8d5b24191a9210e43e5bb
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016c99.bin rtf-objdata-decoded RTF \objdata at offset 0x16C99 28731 bytes
SHA-256: 51370eea154df5888186740d8cea3f03f9c6d86424699aac63a8181541118808
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003ed27.bin rtf-objdata-decoded RTF \objdata at offset 0x3ED27 28731 bytes
SHA-256: 658581c8510315b9fd7d0afe2bc536173f79ff5b6fe52107b292238aaba1e990
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00066db5.bin rtf-objdata-decoded RTF \objdata at offset 0x66DB5 28731 bytes
SHA-256: da84a33584f030d336a09fc5f881823f153542361f05c729ab825c9886b8bca6
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_07_off0008ee43.bin rtf-objdata-decoded RTF \objdata at offset 0x8EE43 28731 bytes
SHA-256: 8b2813d88407139f30a237d71627b9678b61020721277f79bade16b4d3c81daf
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_09_off000b6ed1.bin rtf-objdata-decoded RTF \objdata at offset 0xB6ED1 28731 bytes
SHA-256: 609bf51bea869cfabd3399bea8edd978eb6678d0ee0e7bcfbd2b7c30182609c3
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely