Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d0bb82e43e62a945…

MALICIOUS

RTF / .DOC

1014.2 KB Created: 2019-09-17 13:59:00
MD5: 23fa7215a0d447fea14926d67846bfa5 SHA-1: 6f91e5f579b8a8c081b64193c3d308fb7eca2de1 SHA-256: d0bb82e43e62a945cb952ed04a153d08087efb5bc1e8235ced0fca3538d41415
200 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The sample is an RTF document containing embedded OLE objects, specifically triggering the Equation Editor CLSID and ".objupdate" directive. Critical heuristics indicate exploitation of CVE-2017-8759, a vulnerability in MSXML SAX OLE activation, which allows for the execution of embedded malicious content. The presence of OLE object data and the specific exploit targeted strongly suggest a malicious document designed to deliver a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000f6c22.bin
17bab7af88133c95881081d1c36c8395165363d8275adc25438dcb93bba82c7b		 rtf-objdata-decoded RTF \objdata at offset 0xF6C22 3739 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.