Malicious RTF — malware analysis report

Static analysis result for SHA-256 d9c72a4b8298da7a…

MALICIOUS

RTF

918.5 KB Created: 2018-05-10 16:23:00 First seen: 2018-06-14
MD5: eeb4f2ec9ba838cf0229f43e19c70dc1 SHA-1: 732298d072e22f42a222da1b906e1a63711a436b SHA-256: d9c72a4b8298da7ae805a3dd1a7841dfd013522811809e578701f30fb6d1f447
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c1e.bin rtf-objdata-decoded RTF \objdata at offset 0x2C1E 33339 bytes
SHA-256: fe87264bdf8f763c3da7c45d610283f2e49b88b517dfdf7f5496a24009c771cd
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b3a.bin rtf-objdata-decoded RTF \objdata at offset 0x18B3A 33339 bytes
SHA-256: 377068532fddb0568c54dd9474d2a8dc483b23f973717fd122262d090718aa91
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea56.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA56 33339 bytes
SHA-256: bb9217058526265d96fb2ccff35146ecd6a7a012227a56cc44f8ca3e23b5e43e
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044972.bin rtf-objdata-decoded RTF \objdata at offset 0x44972 33339 bytes
SHA-256: 388cae88c9c44adbb4d3f7ed2ed2c7e057e6b4e2355b66be7e9448f23587bc3e
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a88e.bin rtf-objdata-decoded RTF \objdata at offset 0x5A88E 33339 bytes
SHA-256: 83478e1857b1e142e96a40e35e578bcdb571f0c792a82f3b15967f5870c60378
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707f6.bin rtf-objdata-decoded RTF \objdata at offset 0x707F6 33339 bytes
SHA-256: 77cb894a44e822bcbd4f6b689eec378f72f511b192f820eb3f37de22c13ca722
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off00086712.bin rtf-objdata-decoded RTF \objdata at offset 0x86712 33339 bytes
SHA-256: 8b938c32115c88d330b87e38be623393ec988e1bf0bcee82a4a80c0184dd8ecb
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c62e.bin rtf-objdata-decoded RTF \objdata at offset 0x9C62E 33339 bytes
SHA-256: dea113c924b7028a0af8bfe4cde1b134ee76f667f65e1751e2888200d6ba92a2
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b254a.bin rtf-objdata-decoded RTF \objdata at offset 0xB254A 33339 bytes
SHA-256: 549d0779d7726aaf0e85c2b4d3849c80a5d219230346a638871aaee79912523a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c8466.bin rtf-objdata-decoded RTF \objdata at offset 0xC8466 33339 bytes
SHA-256: 10214804c9dc07fcf7b665e6d8946c8f773cb6308a260565dc93fe26490d463d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.