Malicious RTF — malware analysis report

Static analysis result for SHA-256 e9c2487766379f5d…

MALICIOUS

RTF

921.3 KB Created: 2018-03-12 22:17:00 First seen: 2018-03-30
MD5: 8dcd15544e5a9a2ca1ea6cc99ddd3d1b SHA-1: 72fe292e9edce2f11dede3dae1c4b779c59b8c67 SHA-256: e9c2487766379f5d0841f8d27d14cc5dba556601a0a26a182a2444866e0fb9e6
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 11 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c4c.bin rtf-objdata-decoded RTF \objdata at offset 0x2C4C 28731 bytes
SHA-256: d690e4cf0a9862610c60c55c66f78d3cc31a3fa1d65c7e775f002c8294f98ad3
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016c8d.bin rtf-objdata-decoded RTF \objdata at offset 0x16C8D 28731 bytes
SHA-256: 6f753c949234a8e77df257e38c1e6f107c21363f671b530be1775c43bc758f6b
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off0002acce.bin rtf-objdata-decoded RTF \objdata at offset 0x2ACCE 28731 bytes
SHA-256: e6910019f1e220c1a23113e03beeffae0347b3298bb1649e294ab2266d889a6e
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off00052d50.bin rtf-objdata-decoded RTF \objdata at offset 0x52D50 28731 bytes
SHA-256: afb469f4b1091fd150ebcc59c1000b53f3a26f894861fed318c1228def1b5335
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off0007add2.bin rtf-objdata-decoded RTF \objdata at offset 0x7ADD2 28731 bytes
SHA-256: 005db03f4c59e71d4ff14d5157bcba77cbc154ed2482c1157c215f434e7445f3
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a2e54.bin rtf-objdata-decoded RTF \objdata at offset 0xA2E54 28731 bytes
SHA-256: 12eef507b7fa5c4ef2b1865c7022f63899eaf1812bfc8e2496353ba55cd7b0f3
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_10_off000caed6.bin rtf-objdata-decoded RTF \objdata at offset 0xCAED6 28731 bytes
SHA-256: a6960740d252cb647b85c7654e2b21d5e64b8f3a4e840ba71c685905bf003c53
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely