Malicious RTF — malware analysis report

Static analysis result for SHA-256 d373c954857cc3c1…

MALICIOUS

RTF

473.6 KB Created: 2020-08-03 03:52:00 First seen: 2020-09-15
MD5: 7b4cbe28c4526938e69dd0304d91e854 SHA-1: 4ae3035bd98d5437e5c4c884e5087384552fd53a SHA-256: d373c954857cc3c14bd1264a6750b7823a83cae3c54ce25177462378d3f489ff
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00004f62.bin rtf-objdata-decoded RTF \objdata at offset 0x4F62 19515 bytes
SHA-256: 859f24a5c811389a1dff013e741796d49db9975f928b354f6fa4cc4da809f35c
objdata_01_off00010ed9.bin rtf-objdata-decoded RTF \objdata at offset 0x10ED9 19515 bytes
SHA-256: 967a478323ebb0d9f45edb771c017c5fa35ddd5e7d92b60d1e68c004bec9f180
objdata_02_off000200a0.bin rtf-objdata-decoded RTF \objdata at offset 0x200A0 19515 bytes
SHA-256: 002ae30a77044c8a649d1b0f24284727cadb4b01c28b820dd378a6bd0086eee0
objdata_03_off0002c017.bin rtf-objdata-decoded RTF \objdata at offset 0x2C017 19515 bytes
SHA-256: 7d7b44fe07ccfa83ea8706a970c330b7ac5d4d3e48b111ea87873da089693be4
objdata_04_off0003b1de.bin rtf-objdata-decoded RTF \objdata at offset 0x3B1DE 19515 bytes
SHA-256: 83fa6db4b8828f7901d9549429a2d66014c161cf50cafbc79201950c701598e6
objdata_05_off00047155.bin rtf-objdata-decoded RTF \objdata at offset 0x47155 19515 bytes
SHA-256: d389007e70cfc2c857d50887e23010159753d071ea0ad86dc122cebdb5662136
objdata_06_off0005631c.bin rtf-objdata-decoded RTF \objdata at offset 0x5631C 19515 bytes
SHA-256: 7b1f17ab55192ebcca421743e058a5bf732c6539f2d7caeac74866d96fb34813
objdata_07_off00062293.bin rtf-objdata-decoded RTF \objdata at offset 0x62293 19515 bytes
SHA-256: 5e8ad7138bccef5a413652b0bbe9b4b63bae9e7dac65df9353cf4633456f337e