Malicious RTF — malware analysis report

Heuristics 6

• CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical CVE related RTF_OLE2LINK_REMOTE_MONIKER_LOADER
  RTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage — through an INCLUDETEXT/INCLUDEPICTURE field or the OLE object's own moniker. This is the OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
• ClamAV: Rtf.Downloader.CVE_2017-6336326-3 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Rtf.Downloader.CVE_2017-6336326-3
• \objupdate forces OLE activation high RTF_OBJUPDATE
  RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
• INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
  RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
• OLE object data medium RTF_OBJDATA
  RTF contains 2 \objdata section(s) — embedded OLE objects
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://hairfoxwan.com/tes/t.php?stats=send&thread=0 In RTF body

  • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.