Malicious RTF — malware analysis report

Static analysis result for SHA-256 d583b78c29e20279…

MALICIOUS

RTF

1.41 MB Created: 2018-07-04 12:42:00 First seen: 2019-10-30
MD5: c9a7e1a4a26e30754924810bdf06c987 SHA-1: 00726b88ef9670d3f6ef8af3d5ffdb19ad8f6105 SHA-256: d583b78c29e202791873e1d3054012d7687ed214e49ddde2fcf104a528aa211b
282 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects, including a PE executable disguised within hex data. This executable is likely a payload dropped by the RTF file. The presence of URL Monikers suggests an attempt to download additional content or redirect the user. The document body discusses U.S.-Taiwan defense relations, likely a lure to encourage opening the embedded malicious content.

Heuristics 8

  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1190KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.nytimes In RTF body
    • https://www.foreignpolicyIn RTF body
    • https://thediplomat.com/2017/10/indias-dangerous-taiwan-gambitIn RTF body
    • https://www.menendez.senate.gov/news-and-events/press/menendez-inhofe-praise-announcement-of-taiwan-arms-packageIn RTF body
    • https://foreignaffairs.house.gov/press-release/royce-engel-write-president-u-s-taiwan-relations-ahead-asia-tripIn RTF body
    • https://www.cotton.senate.gov/?p=press_release&id=847In RTF body
    • http://news.ltn.com.tw/In RTF body
    • https://jamestown.org/program/retired-taiwan-officer-exchanges-offer-insight-into-a-modern-united-frontIn RTF body
    • https://jamestown.org/program/chinas-espionage-against-taiwan-part-i-analysis-of-recent-operationsIn RTF body
    • http://www.taipeitimes.com/News/front/archives/2017/03/11/2003666539In RTF body
    • https://jamestown.org/program/taiwan-espionage-cases-highlight-changes-in-chinese-intelligence-operationsIn RTF body
    • https://www.wilsoncenter.org/article/magic-weapons-chinas-political-influence-activities-under-xi-jinpingIn RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
    • https://creativecommons.org/licenses/by-nc-nd/2.0/In RTF body
    • https://www.menendez.senate.gov/news-and-events/press/menendez-inhofe-praise-announcement-of-taiwan-arms-package}{In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00047c48.bin rtf-objdata-decoded RTF \objdata at offset 0x47C48 591395 bytes
SHA-256: fc4b632ae9e37346a2404cba28236164d95ae9854748e095ee03f46f48fffdc0
embedded_rtf_00047d0b.exe embedded-pe RTF hex-encoded MZ at offset 0x47D0B 591298 bytes
SHA-256: 6651061c8d49a292c5545f8134d4e5761d3f6f5909871c33852afb9fb58e2d82