Malicious RTF — malware analysis report

Static analysis result for SHA-256 e2ff3065b2618c3c…

MALICIOUS

RTF

737.1 KB Created: 2018-05-02 19:22:00 First seen: 2019-01-12
MD5: bb9c2ce7b30abe7c268bb3f285aa3a7f SHA-1: f2778b3b5a7c66d941393215ba3645724bd9d016 SHA-256: e2ff3065b2618c3c5184e956614f2791862eca76b55ff8b7148e02287c2ed999
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c17.bin rtf-objdata-decoded RTF \objdata at offset 0x2C17 24123 bytes
SHA-256: a9ad904efac29c39572cf59742bae60de78f09d22344310976b808c4874e216b
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off0001429d.bin rtf-objdata-decoded RTF \objdata at offset 0x1429D 24123 bytes
SHA-256: b78bd697bf03835680fa881c3b4304de7d7fed20aed95e16e25a818958828803
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off00025923.bin rtf-objdata-decoded RTF \objdata at offset 0x25923 24123 bytes
SHA-256: 24f3b313cad1fc02221bd702d9a293469df750c43abcc9b870e26b16a750555b
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00036fa9.bin rtf-objdata-decoded RTF \objdata at offset 0x36FA9 24123 bytes
SHA-256: e5d1469a29e448edd3b1286a59c5902cc00361e3457880cdd718f9166f978622
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0004862f.bin rtf-objdata-decoded RTF \objdata at offset 0x4862F 24123 bytes
SHA-256: b7f7d17ddbeae8bde1f2a467dbda5435b126b60323c95f81f14d80599937b2b0
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off00059cff.bin rtf-objdata-decoded RTF \objdata at offset 0x59CFF 24123 bytes
SHA-256: 7fb8043d8bdb35ca3c390d36f3ba9ce2f24580dc503afdfd06ba42bf6f17fc76
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006b385.bin rtf-objdata-decoded RTF \objdata at offset 0x6B385 24123 bytes
SHA-256: faf24f804a2d86a51b7abb0b9285e95ccffb015afb0c11d5ccc238c289eaa92c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007ca0b.bin rtf-objdata-decoded RTF \objdata at offset 0x7CA0B 24123 bytes
SHA-256: 5e661e29bd2a34ecf94b51bf167d94527c094e5872dde9bdda42d15965a6bd49
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off0008e091.bin rtf-objdata-decoded RTF \objdata at offset 0x8E091 24123 bytes
SHA-256: 4a4c62c35c4214403e7c0ba5a8648551c6ab5b73dbff2394061e574703637c4f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off0009f717.bin rtf-objdata-decoded RTF \objdata at offset 0x9F717 24123 bytes
SHA-256: d96c33472520828359dd6d6f522b2660583a48ede4242ae16d524237972ddc18
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely