Malicious RTF — malware analysis report

Static analysis result for SHA-256 d551c79ac018830e…

MALICIOUS

RTF

248.7 KB Created: 2012-04-19 15:10:00 Authoring application: Microsoft Word 11.0.0000 First seen: 2014-03-08
MD5: bc3134dbede4cdc8ac15ed93eb83e558 SHA-1: 0afbb8a6461b2530ee236d7d4da69685e22cb3f0 SHA-256: d551c79ac018830e4288d89428d24b783ded03f733eaad5292d850bdc70cf988
162 Risk Score

Heuristics 5

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • CVE-2012-0158 RTF embedded encrypted payload high CVE related RTF_CVE_2012_0158_EMBEDDED_PAYLOAD
    The CVE-2012-0158 document embeds a large high-entropy binary blob — the encrypted/packed second-stage payload the exploit shellcode drops and runs. Hex-encoded object data cannot reach this entropy, so the region is genuine binary, not markup. The payload is encrypted in the file, so it is surfaced as an IOC (offset, size, SHA-256) rather than a decoded executable.
  • ClamAV: Win.Trojan.Elpapok-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Elpapok-1
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000013c6.bin rtf-objdata-decoded RTF \objdata at offset 0x13C6 38640 bytes
SHA-256: cadff2d6a8be5ba7ed85c9ae53689f7a46cba7d02c3b496a5d81b02413939ad7