MALICIOUS
362
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF document contains embedded OLE object data and specifically targets the Equation Editor component, indicating an exploitation attempt. The presence of `INCLUDETEXT/INCLUDEPICTURE` referencing a remote URL suggests the document is designed to download and execute a secondary payload. ClamAV detection as Rtf.Downloader.CVE_2017-6336326-3 further supports this, pointing to a downloader functionality.
Heuristics 9
-
Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
-
Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTERTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://seliodrones.info/vmware/webdav.php?stats=send&thread=0 In RTF body
- https://seliodrones.info/vmware/w&In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000c561.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC561 | 3545 bytes |
SHA-256: a2e99936a55cd545ee995749d656f793c2902836fb2d403d4e0d610673f1786b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered URL(s): https://seliodrones.info/vmware/w& Static shellcode analysis recovered command string(s): mshta.exe https://seliodrones.info/vmware/w&C
|
|||
objdata_01_off0000e3d5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE3D5 | 2598 bytes |
SHA-256: 572ce70bae6f6f791dfe84b4398ff0a13daedc4382172bb512f83b423d3ddfa0 |
|||
objdata_02_off0000fb03.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xFB03 | 2674 bytes |
SHA-256: 00897a3a64973fc4bb3fe33fe64a90c3fc216bc0402b312abb5c6b87e5118b43 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.