Malicious RTF — malware analysis report

Static analysis result for SHA-256 d7f9881655d9bd41…

MALICIOUS

RTF

2.50 MB First seen: 2019-09-30
MD5: 694f114586d0a19e75a68712737a9098 SHA-1: 0faf1c2d642a8dc3cb30a4e3c23fd4ee0fdc5f93 SHA-256: d7f9881655d9bd41571d92d8c1f906ebd4b24608d134753e89f694e672fe5506
224 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of malicious activity, including OLE object data and excessive hex data, strongly suggesting the presence of embedded malicious content. Specifically, the 'CVE_2017_8570' heuristic firing indicates the exploitation of a vulnerability to drop a script. The presence of a composite moniker further supports this, pointing towards the execution of a secondary payload.

Heuristics 8

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1123KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.CorbisImages.com/enlargement/42-22754942.html�� In RTF body
    • http://ns.camerabits.com/photomechanic/1.0/In RTF body
    • http://ns.adobe.com/xap/1.0/In RTF body
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In RTF body
    • http://ns.adobe.com/photoshop/1.0/In RTF body
    • http://ns.adobe.com/xap/1.0/rights/In RTF body
    • http://purl.org/dc/elements/1.1/In RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000025.bin rtf-objdata-decoded RTF \objdata at offset 0x25 205 bytes
SHA-256: 75a725fc96463ea024899f12597b26031b1a5d84ddd2de407d47914073b3db59
objdata_01_off000001ea.bin rtf-objdata-decoded RTF \objdata at offset 0x1EA 385227 bytes
SHA-256: 50438984c880fed754d40b94cd226dbdc612931c8a6914dcd486a9dce2bca1fa
objdata_02_off0011253c.bin rtf-objdata-decoded RTF \objdata at offset 0x11253C 1068 bytes
SHA-256: 2b28d78ceb2a564ae30f2b6865926b068f3f920a373c2e3fc4cb865091eddd89
objdata_03_off00112dc7.bin rtf-objdata-decoded RTF \objdata at offset 0x112DC7 742604 bytes
SHA-256: ec16abc98ac27cae3fd21ee25333f809f8b6411f760f9ef48b9fb8c958bd903c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
objdata_04_off0027d791.bin rtf-objdata-decoded RTF \objdata at offset 0x27D791 369 bytes
SHA-256: 3c0b4878e98d51d984a06b9ba36e54869ecd67e41f335730fced4ca28976d877
objdata_05_off0027daa7.bin rtf-objdata-decoded RTF \objdata at offset 0x27DAA7 890 bytes
SHA-256: 21dcdf875b1972c61c0e8c2c2123f9a95c8f29fb4a2cf8bf52511b328881de8e
objdata_06_off0027e202.bin rtf-objdata-decoded RTF \objdata at offset 0x27E202 2633 bytes
SHA-256: 27c6d10cfe7974ebf40c1200cc005f9878cc37b7d49ece9cbc396d700c38918a