Malicious RTF — malware analysis report

Static analysis result for SHA-256 de1ccda0d6018364…

MALICIOUS

RTF

737.1 KB Created: 2018-04-27 01:15:00 First seen: 2018-08-05
MD5: 94eb32ba0d7b02c1d680bb967259ecd4 SHA-1: df917dbad5074f12df2a28890bdba9f27601c62d SHA-256: de1ccda0d601836417925588462f58c88c89f5ff7c09225eda21271657119143
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c17.bin rtf-objdata-decoded RTF \objdata at offset 0x2C17 24123 bytes
SHA-256: 2ecc70c24823a8bf3f8a800774a1842f18b363daae583b25333395e54e3bb4af
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off0001429d.bin rtf-objdata-decoded RTF \objdata at offset 0x1429D 24123 bytes
SHA-256: 2657135e6d0a236089cd7e64241ed148ec3aed6227f36f30441db80f0d1e5396
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off00025923.bin rtf-objdata-decoded RTF \objdata at offset 0x25923 24123 bytes
SHA-256: 168a5145ece1fbc730df202950463549044f8e9bdec7d9edf20353f5d9cf088d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00036fa9.bin rtf-objdata-decoded RTF \objdata at offset 0x36FA9 24123 bytes
SHA-256: c361c5606c8902f092416fa189e822267aea4a2b340d6f7bed246ee267177ffe
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0004862f.bin rtf-objdata-decoded RTF \objdata at offset 0x4862F 24123 bytes
SHA-256: 5a69c773d02eeea5bb6e5fd4a245e4e62aced829629cf7497f3b85430d6fdce4
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off00059cff.bin rtf-objdata-decoded RTF \objdata at offset 0x59CFF 24123 bytes
SHA-256: 9864816210c9e05930e165a6e687bef62959312a7bf82113d90c6972534ae9e0
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006b385.bin rtf-objdata-decoded RTF \objdata at offset 0x6B385 24123 bytes
SHA-256: 34606f5be767921869afac94c0a32e9fc0a1cbf33608e2e7f5d279cde71d8f56
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007ca0b.bin rtf-objdata-decoded RTF \objdata at offset 0x7CA0B 24123 bytes
SHA-256: d8cc8ea1f7da04b417622d5d704f73a07af05013f9e59e7904307558557289c6
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off0008e091.bin rtf-objdata-decoded RTF \objdata at offset 0x8E091 24123 bytes
SHA-256: 53704e5cdb034877e543486d7184421aa1de3821fa1e341ba02d105b6352c17a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off0009f717.bin rtf-objdata-decoded RTF \objdata at offset 0x9F717 24123 bytes
SHA-256: e29785b77ea7917da7eaeb5707ed765978fe8debb0d00899c0ab4f9d8196597f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely