Malicious RTF — malware analysis report

Static analysis result for SHA-256 dc8425f8c966708b…

MALICIOUS

RTF

195.1 KB Created: 2017-11-23 01:06:00 First seen: 2019-04-18
MD5: 0c1b11b8159e78143bc67a49033fd406 SHA-1: 4336f7a0f1095f9520a9a343321463b758b5f4bf SHA-256: dc8425f8c966708b1a3c26f0545664ccbf853852af401b91ae7f29d351e2649c
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple critical heuristic firings indicating exploitation of CVE-2017-8570 via OLE object data and the Equation Editor. This vulnerability is known to drop SCT scripts, suggesting the file's primary purpose is to execute arbitrary code. ClamAV detection further confirms its malicious nature.

Heuristics 6

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Dropper.Agent-7122089-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-7122089-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 9 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00009df5.bin rtf-objdata-decoded RTF \objdata at offset 0x9DF5 2638 bytes
SHA-256: 6a47df84db93444d367fbeb04bf0764f88e7e04488e9e8564b5764fab165c5b6
objdata_01_off0000b4df.bin rtf-objdata-decoded RTF \objdata at offset 0xB4DF 901 bytes
SHA-256: 8c3a0a806810d9fbfa0c3685249649d13c92db98aac7a9f7be5701b2502d7835
objdata_02_off0000be37.bin rtf-objdata-decoded RTF \objdata at offset 0xBE37 871 bytes
SHA-256: 625963ab555f7673af67211b375bfc2fe94f54ad4067cfd7b71626786a8a8eb2
objdata_03_off0000c753.bin rtf-objdata-decoded RTF \objdata at offset 0xC753 26819 bytes
SHA-256: 5362a770f9d95429be88d57b984f0392af0a8b17905715912897d2cf3881e9bb
objdata_04_off00019b52.bin rtf-objdata-decoded RTF \objdata at offset 0x19B52 3271 bytes
SHA-256: 3e4de491815c0ad3cf30a6f9cb6e81dfae7c19f1bc0f033dcb01ed50ca70124d
objdata_05_off0001b99f.bin rtf-objdata-decoded RTF \objdata at offset 0x1B99F 2638 bytes
SHA-256: 1a600e2dd15e7894fd80b93f73b27a80ec653c9ef716e462f552bbed8eba8b96
objdata_06_off0001d0e9.bin rtf-objdata-decoded RTF \objdata at offset 0x1D0E9 4682 bytes
SHA-256: 49e15c8e084234dc5e7e4f0a3cfcd2b36e709769219b7b81c0cf476e538d763b
objdata_07_off0001f81d.bin rtf-objdata-decoded RTF \objdata at offset 0x1F81D 3980 bytes
SHA-256: b9b80bc1ba7cfd61e13e69ff5d31e358ae95dedd8d075a99c2e909a921cfe775
objdata_08_off000219d7.bin rtf-objdata-decoded RTF \objdata at offset 0x219D7 2601 bytes
SHA-256: 5546af66999a1b5674382609da6c5fe9c2506de78a4db8fb99b644e8cba5fefb