Malicious RTF — malware analysis report

Heuristics 22

• CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
  RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
• CVE-2023-21716 — \fonttbl with 32768 entries critical CVE exact CVE_2023_21716
  RTF font table contains 32768 font entries, which is highly anomalous — CVE-2023-21716 triggers a heap buffer overflow in Word's RTF font table parser when the number of entries is very large (exploitable from ~32768 entries). This document is suspicious.
• URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
  RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
• Reference to WinExec API high SC_STR_WINEXEC
  Reference to WinExec API
• Reference to CreateProcess API high SC_STR_CREATEPROCESS
  Reference to CreateProcess API
• Reference to ShellExecute API high SC_STR_SHELLEXEC
  Reference to ShellExecute API
• Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
  Suspicious cmd.exe invocation with execution flag
• Reference to PowerShell high SC_STR_POWERSHELL
  Reference to PowerShell
• Reference to Windows Script Host high SC_STR_WSCRIPT
  Reference to Windows Script Host
• Reference to certutil (download/decode) high SC_STR_CERTUTIL
  Reference to certutil (download/decode)
• Reference to bitsadmin (download) high SC_STR_BITSADMIN
  Reference to bitsadmin (download)
• Reference to LoadLibrary API high SC_STR_LOADLIBRARY
  Reference to LoadLibrary API
• Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
  Reference to GetProcAddress API
• Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
  RTF contains ~1167KB of hex-encoded data inside \objdata sections — may hide a payload
• Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
  Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
  Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
• x86 push-string-call medium SC_PUSH_STRING
  Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack
• OLE object data medium RTF_OBJDATA
  RTF contains 1 \objdata section(s) — embedded OLE objects
• Embedded OLE object medium RTF_OBJEMB
  RTF contains \objemb — embedded OLE object
• OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
  RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.schmidhorst.de/regdom

  • http://www.delphipraxis.net/118485-ermitteln-ob-32-bit-oder-64-bit-betriebssystem.html
  • http://www.ebay.com:verify@www.spion.com
  • http://www.windowspro.de/tipp/einfaches-single-sign-workgroups-und-mit-samba-durch-cmdkey
  • http://www.computer-engineering.org
  • http://www.softwareok.de/?Microsoft/DontSleep
  • https://www.opautoclicker.com/
  • http://www.tnk-bootblock.co.uk/prods/misc
  • http://www.docu-track.com/home/prod_user/PDF-XChange_Tools/pdfx_viewer/
  • http://www.it-techblog.de/vista-workshop-notebooks-drahtlos-ad-hoc-vernetzen/07/2007/
  • http://jens-schaller.de/month/2008/02
  • http://www.horland.de/cwsysinfo.html
  • http://www.joshcellsoftwares.com/
  • http://www.opa-backup.de/
  • http://www.componentsoftware.com/csdiff/
  • http://www.winpooch.com/
  • http://rpi.net.au/~ajohnson/resourcehacker
  • https://fspro.net/my-lockbox/
  • http://www.ctmagazin.de/0916160
  • http://schemas.micros
  • http://www.schmidhorst.de/regdom}{
  • http://www.it-techblog.de/vista-workshop-notebooks-drahtlos-ad-hoc-vernetzen/07/20
  • http://www.ctmagazin.de/0
  • http://forum.notebookreview.com/asus/150016-asus-notebook-keys-v1-3-a.html
  • http://forum.notebookreview.com/asus/150016-asus-notebook-
  • http://forum.notebookreview.com/attachments/asus/12941d1196825791-asus-notebook-keys-v1-3-asusnbkeys_v1.3.zip
  • http://forum.notebookreview.com/attachments/asus/12942d1196825791-asus-notebook-keys-v1-3-asusnbkeys_v1.3_src.zip
  • http://www.ct.de/y3ke
  • http://www.audiograbber.de
  • http://www.tmpgenc.net
  • http://www.cdex.n3.net/
  • http://www.dbpoweramp.com/
  • http://www.dbpowera
  • http://www.s-a-d.de
  • http://www.germanixsoft.de
  • http://www.clipinc.de
  • http://www.arsgeek.com/?cat=20
  • http://www.bihler-online.de/pascal/index.htm
  • http://www.bihler-online.de/pascal/index.h
  • http://www.ct.de/yfbq
  • http://pcwelt-tipps.de/wiki/Autostart_auf_USB-Sticks
  • http://pcwelt-tipps.de/wiki/Autostart_auf_USB-Stic
  • http://support.micros
  • http://www.basta.com
  • http://www.delphifreestuff.com
  • https://www.ct.de/yf71
  • http://www.mlin.net
  • https://www.ct.de/yvea
  • http://www.SpywareInfo.com
  • http://dialerschutz.de/home/Loeschen/loeschen.html

  +2217 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.