Malicious RTF — malware analysis report

Static analysis result for SHA-256 e14a3d818a36907b…

MALICIOUS

RTF

2.50 MB First seen: 2019-02-26
MD5: 211193e8b4b89a02b0ca1afa894ab06a SHA-1: e0bb141b6c3c2a94e837daa4539796c330a3b9bc SHA-256: e14a3d818a36907b2cb0503e4570a1d730d04913134ecc7b42308d8aac16e044
224 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of malicious activity, including OLE object data and excessive hex data, strongly suggesting the presence of embedded malicious content. Specifically, the 'CVE_2017_8570' heuristic firing indicates the exploitation of a vulnerability to drop a script. The presence of a composite moniker further supports this, pointing towards the execution of a secondary payload.

Heuristics 8

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1123KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.CorbisImages.com/enlargement/42-22754942.html�� In RTF body
    • http://ns.camerabits.com/photomechanic/1.0/In RTF body
    • http://ns.adobe.com/xap/1.0/In RTF body
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In RTF body
    • http://ns.adobe.com/photoshop/1.0/In RTF body
    • http://ns.adobe.com/xap/1.0/rights/In RTF body
    • http://purl.org/dc/elements/1.1/In RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000025.bin rtf-objdata-decoded RTF \objdata at offset 0x25 205 bytes
SHA-256: 75a725fc96463ea024899f12597b26031b1a5d84ddd2de407d47914073b3db59
objdata_01_off000001ee.bin rtf-objdata-decoded RTF \objdata at offset 0x1EE 385227 bytes
SHA-256: 50438984c880fed754d40b94cd226dbdc612931c8a6914dcd486a9dce2bca1fa
objdata_02_off00112547.bin rtf-objdata-decoded RTF \objdata at offset 0x112547 1068 bytes
SHA-256: 2b28d78ceb2a564ae30f2b6865926b068f3f920a373c2e3fc4cb865091eddd89
objdata_03_off00112dd8.bin rtf-objdata-decoded RTF \objdata at offset 0x112DD8 742604 bytes
SHA-256: ec16abc98ac27cae3fd21ee25333f809f8b6411f760f9ef48b9fb8c958bd903c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
objdata_04_off0027d7a8.bin rtf-objdata-decoded RTF \objdata at offset 0x27D7A8 369 bytes
SHA-256: 3c0b4878e98d51d984a06b9ba36e54869ecd67e41f335730fced4ca28976d877
objdata_05_off0027dac6.bin rtf-objdata-decoded RTF \objdata at offset 0x27DAC6 890 bytes
SHA-256: 21dcdf875b1972c61c0e8c2c2123f9a95c8f29fb4a2cf8bf52511b328881de8e
objdata_06_off0027e238.bin rtf-objdata-decoded RTF \objdata at offset 0x27E238 2633 bytes
SHA-256: 27c6d10cfe7974ebf40c1200cc005f9878cc37b7d49ece9cbc396d700c38918a

Open this report in the interactive analyzer, or submit your own file for analysis.