LokiBot RTF malware analysis — malicious · d7f719eb3cc4e5d1

MALICIOUS

RTF

864.8 KB First seen: 2019-09-30

MD5: d0131a1b4a06eacad20e1ed50e837513 SHA-1: 2cad6421fdb84ad726b546284b171715adeb5029 SHA-256: d7f719eb3cc4e5d108a07728160847dd89c84c2914ba27f11faa25039f265c0d

342 Risk Score

Malware Insights

LokiBot · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of malicious activity, including OLE object data, composite monikers, and a PE header within hex data, strongly suggesting the exploitation of CVE-2017-8570. ClamAV detections confirm this, identifying the sample as Win.Dropper.LokiBot-10026505-0. The embedded URL http://test1.ru/newbuild/t.php?act=hit is likely used to download and execute the secondary payload.

Heuristics 7

Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570

RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
ClamAV: Win.Dropper.LokiBot-10026505-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.LokiBot-10026505-0
PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 8 \objdata section(s) — embedded OLE objects
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://test1.ru/newbuild/t.php?act=hit In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
- http://codeproject.comIn RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00018652.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x18652	885 bytes
SHA-256: `eeabec211f2ccdc2d7c9de123e145457e6ea1837722e08b7b8d755219cd5056e`
`objdata_01_off00018d6f.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x18D6F	32665 bytes
SHA-256: `7bc9ec1f0f651f44d55c29c2418a62c6073ac32e2c7b9aaefcfd115ed3f57211`
`objdata_02_off00028cd3.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x28CD3	482 bytes
SHA-256: `8f35162cb7523f92e9f44d62d12eded23d00d10857cb163693e107bc76bbe0d8`
`objdata_03_off000290cb.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x290CB	850 bytes
SHA-256: `f4d52089bdd4e315fef23608700d3284f76fb6b468ae29aa8a1c54a5ef0a4a01`
`objdata_04_off000297d6.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x297D6	2633 bytes
SHA-256: `fe11c27d916ab897eb94064e9631d8a29c847a6db39259bef31578da8d19fdf5`
`objdata_05_off0002acd3.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2ACD3	2601 bytes
SHA-256: `67ff079a9b0f053ca2843811d9da7a8fdedc7d9d377ef39d09dde148b9657c7f`
`objdata_06_off0002c171.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2C171	352460 bytes
SHA-256: `8420439e84fd0f7a12820459fe363e1f78c188dbe97534f1d7175ae7ba36520f`
Detection ClamAV: Win.Dropper.LokiBot-10026505-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.