Malicious RTF — malware analysis report

Static analysis result for SHA-256 e006642cbbf6940b…

MALICIOUS

RTF

841.3 KB Created: 2018-03-12 22:14:00 First seen: 2018-06-21
MD5: 6c3ba4407cdd924a0d74367bfe9cde8d SHA-1: a52703cfcf8bafce1122c4ecce30726cf3b6a6df SHA-256: e006642cbbf6940bfd8a0e97f0bfb2b5913314082b216bab8fd857bee14eda64
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c4d.bin rtf-objdata-decoded RTF \objdata at offset 0x2C4D 28731 bytes
SHA-256: ed2b5e9e2bfd3457b756fba1f61a27936c94f08c6f60cdc843fc29b2925de17b
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016c8e.bin rtf-objdata-decoded RTF \objdata at offset 0x16C8E 28731 bytes
SHA-256: cacd2dc2fbf413201a87a986ca347dcdf912e72f036d6c0a2861aff3515b2fa7
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off0002accf.bin rtf-objdata-decoded RTF \objdata at offset 0x2ACCF 28731 bytes
SHA-256: 8c5d00cfb97b5e10cfac835d0cb7ab0d2f7364a3058b2ad8f0018ac7240194e8
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off00052d51.bin rtf-objdata-decoded RTF \objdata at offset 0x52D51 28731 bytes
SHA-256: 0ded1eaeab207a9e479668fa90de1050d6fba0217a8ff3cc12672fe35921282d
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off0007add3.bin rtf-objdata-decoded RTF \objdata at offset 0x7ADD3 28731 bytes
SHA-256: 383c87797c6775f38cf9a669c2f317f2aa8b8ab2d7f303978e380420138b3e40
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a2e55.bin rtf-objdata-decoded RTF \objdata at offset 0xA2E55 28731 bytes
SHA-256: 9c6de57376a0643d162d4b42fc6cc3f89f4117c94d44493eb1bd215c47235cb9
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.