Malicious RTF — malware analysis report

Static analysis result for SHA-256 c88d0f7d623b2a2c…

MALICIOUS

RTF

84.5 KB Created: 2020-06-13 09:30:00 First seen: 2022-04-28
MD5: 0e519a47ee4ee5cd194cccedf4e02c65 SHA-1: add5b4fd9aea6a38b5a8941286bc9aa4fe23bd20 SHA-256: c88d0f7d623b2a2c066dd6b15597d1f4c44d89e7a8e660e28c3494f441826ea5
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.002 Component Object Model Hijacking

The RTF file contains embedded OLE objects and triggers the \objupdate directive, which is indicative of exploitation. The critical heuristic firing for CVE-2017-8759 confirms that this file attempts to leverage this specific vulnerability in MSXML for OLE activation. This technique is commonly used to achieve arbitrary code execution.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml}}\paperw11906\paperh16838\margl1800\margr1800\margt1440\margb1440\gutter0\ltrsect

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000ba25.bin
035bb8ffbc40b53c3d9de553eabffffca6d93b54bd548d790eda63bc4c35a0a3		 rtf-objdata-decoded RTF \objdata at offset 0xBA25 12360 bytes
objdata_01_off00011b41.bin
ed2f1ab5617a70dd2084654a51e68b02e0c4d40dac8122df4f07b88960eac7b0		 rtf-objdata-decoded RTF \objdata at offset 0x11B41 6843 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.