Malicious RTF — malware analysis report

Static analysis result for SHA-256 ea2e60dc52ac5377…

MALICIOUS

RTF

391.3 KB Created: 2013-03-13 17:07:00 Authoring application: WPS Office \'b8\'f6\'c8\'cb\'b0\'e6 First seen: 2015-10-05
MD5: df77b989effc06ab3222583a985186c0 SHA-1: a00c9a11de02c0e17670181ff9eda21599741782 SHA-256: ea2e60dc52ac53778aff842790e8bb759a363b6453fee4ed9a0d310ca6993315
122 Risk Score

Heuristics 5

  • MSCOMCTL.TreeView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.TreeView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • CVE-2012-0158 RTF embedded encrypted payload high CVE related RTF_CVE_2012_0158_EMBEDDED_PAYLOAD
    The CVE-2012-0158 document embeds a large high-entropy binary blob — the encrypted/packed second-stage payload the exploit shellcode drops and runs. Hex-encoded object data cannot reach this entropy, so the region is genuine binary, not markup. The payload is encrypted in the file, so it is surfaced as an IOC (offset, size, SHA-256) rather than a decoded executable.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower In RTF body
    • http://www.telegraph.co.uk/news/worldnews/northamerica/usa/10117690/Whistleblower-Edward-Snowden-claims-US-targets-Chinese-computers-for-cyber-attacks.htmlIn RTF body
    • http://www.motherjones.com/mojo/2013/06/can-snowden-get-icelandic-asylum-hong-kongIn RTF body
    • http://www.wired.com/threatlevel/2013/06/prism-google-facebook/In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002f06.bin rtf-objdata-decoded RTF \objdata at offset 0x2F06 60541 bytes
SHA-256: 3ffc0c32fa71ae714c3dc119ef9c14896e4916c904f2588e344a950a7fa73b70
objdata_01_off0003d807.bin rtf-objdata-decoded RTF \objdata at offset 0x3D807 20196 bytes
SHA-256: d7201840a563703ed1db28ce3f2be0054126bf87e4a567de0c0fccaa2eea0fdc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS
objdata_02_off0003d827.bin rtf-objdata-decoded RTF \objdata at offset 0x3D827 20190 bytes
SHA-256: 2124b67ebc731a81b87660f51a12f0a9cc500133742f901010915995fab66bf7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS

Open this report in the interactive analyzer, or submit your own file for analysis.