Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d1a99d02b80c0174…

MALICIOUS

RTF / .DOC

1.18 MB Created: 2019-09-17 13:59:00
MD5: 521906b24d145727ae9e0558e03d78d7 SHA-1: 34bbbcc0fe82a73bf60faaa8ad7bf4afb27d24f7 SHA-256: d1a99d02b80c01741b435a024b62799e1b13a54cca26959def99396a4317ba74
200 Risk Score

Malware Insights

The sample is an RTF document containing an embedded OLE object, specifically targeting CVE-2017-8759 through MSXML SAX OLE activation. This indicates an attempt to exploit a vulnerability for code execution. The presence of RTF_OBJDATA and RTF_OBJUPDATE heuristics further supports the exploitation of embedded objects. No specific malware family could be identified, but the attack pattern is consistent with exploiting known vulnerabilities in document formats to deliver a payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off001247f5.bin
9e43f9a340a7514f9ee5d15e87f90ac47c9597292a8b9d71c23464a1c6d56092		 rtf-objdata-decoded RTF \objdata at offset 0x1247F5 3739 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.