Rtf.Dropper.Agent-7629301-0 — RTF malware analysis

Static analysis result for SHA-256 d7f15f750cceeb9e…

MALICIOUS

RTF

392.3 KB Created: 2020-01-22 11:56:00 First seen: 2020-06-01
MD5: a6cce77325e4465c78c7b7b3610e2787 SHA-1: 234a10e432e0939820b2f40bf612eda9229db720 SHA-256: d7f15f750cceeb9e28e412f278949f183f98aeb65fe99731b2340c8f1c008465
204 Risk Score

Malware Insights

Rtf.Dropper.Agent-7629301-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, indicating an attempt to activate them. The critical heuristic firing for CVE-2017-8759 confirms exploitation of MSXML SAX OLE activation, a known method for executing arbitrary code. ClamAV identifies the file as Rtf.Dropper.Agent-7629301-0, suggesting its purpose is to drop and execute a secondary payload.

Heuristics 7

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Rtf.Dropper.Agent-7629301-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-7629301-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0001076a.bin rtf-objdata-decoded RTF \objdata at offset 0x1076A 159984 bytes
SHA-256: 56b016480db8e6d2863409a4259595cc93a6cbae080d01d415db361f8481a345
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off0005e970.bin rtf-objdata-decoded RTF \objdata at offset 0x5E970 6847 bytes
SHA-256: e41db3b920b97d35fee7cad90d8e442e95f33a22b8414d5819876e58889c49d7
objdata_02_off0005e98a.bin rtf-objdata-decoded RTF \objdata at offset 0x5E98A 6843 bytes
SHA-256: cbf708629437999ba26cf021c20424245fb880bd6c399adc3aa83dd2b149b130

Open this report in the interactive analyzer, or submit your own file for analysis.