Malicious RTF — malware analysis report

Static analysis result for SHA-256 e84f1e09cc87882f…

MALICIOUS

RTF

918.5 KB Created: 2018-05-07 First seen: 2018-07-23
MD5: a4cb5d3cd92c3650d9115e0919fb63ed SHA-1: 781595168115d3df099f006baf19b9ff34012194 SHA-256: e84f1e09cc87882f489056a8400b5c28dcd0edb82d0e1e34ac5f421a08331e40
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c0d.bin rtf-objdata-decoded RTF \objdata at offset 0x2C0D 33339 bytes
SHA-256: 7fa438c63b236e27b67c3244afd0e62af7214475a5d9f5de2287a47b83ca1073
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b25.bin rtf-objdata-decoded RTF \objdata at offset 0x18B25 33339 bytes
SHA-256: 5ce2efa598b866ecb9b83264113b2afa186eed22bf16f990148604d79935a3ec
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea3d.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA3D 33339 bytes
SHA-256: c34f3d85c005f074afd0be7bd3360ba96533c788033f820719c6a58d6fab2e51
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044955.bin rtf-objdata-decoded RTF \objdata at offset 0x44955 33339 bytes
SHA-256: f9add8e50d797688f7e924cd86b9c53caada7187c97f77ea5048dbebc3dd53df
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a86d.bin rtf-objdata-decoded RTF \objdata at offset 0x5A86D 33339 bytes
SHA-256: b87de9ff8804b79b41314eed25a15537b92468e4343898ecf5947d74b86bfbc3
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707cf.bin rtf-objdata-decoded RTF \objdata at offset 0x707CF 33339 bytes
SHA-256: 23805bf10d5049c04bc639d6b869efa122eaa5b16965b4f6950daafce956ba1d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off000866e7.bin rtf-objdata-decoded RTF \objdata at offset 0x866E7 33339 bytes
SHA-256: 94179bb7b5f48a2d94304823411d8c6f8b0944d03452be17fc21a57ecb2f9cde
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c5ff.bin rtf-objdata-decoded RTF \objdata at offset 0x9C5FF 33339 bytes
SHA-256: b2bcd123d864702328ac136d1525e05afc4a3a1e5db406b61b6af4e414bec253
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off000b2517.bin rtf-objdata-decoded RTF \objdata at offset 0xB2517 33339 bytes
SHA-256: ef0f93999fee0b0f5d260d1fe1288153eafb7149b20b0003b44dcb77968d6562
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off000c842f.bin rtf-objdata-decoded RTF \objdata at offset 0xC842F 33339 bytes
SHA-256: 7b786838d7dd27e85337bfdcfb3b25c6769ee2aaf59357525f8ab0fa88db1706
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.