Malicious RTF — malware analysis report

Static analysis result for SHA-256 ebd113e5fa9a73f3…

MALICIOUS

RTF

1.23 MB First seen: 2019-01-25
MD5: 8eab478294b730499f1ea79a5bc085e5 SHA-1: d0d099ab5a7c97e16aacbab7ef82b19533e0f0e9 SHA-256: ebd113e5fa9a73f37eab8a394cad6f41696792a120ee1a425dee1994ac277ba8
164 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE objects and has triggered critical heuristics for ClamAV detections related to CVE-2015-1641. This indicates the file is designed to exploit a known vulnerability for client execution. The embedded OLE objects and the nature of the exploit suggest it's likely delivered as a spearphishing attachment, aiming to download and execute a secondary payload.

Heuristics 5

  • ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2015_1641-6397417-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dnd.gov.ph/ In RTF body
    • http://www.afp.mil.ph/index.php/homepageIn RTF body
    • http://www.navy.mil.ph/In RTF body
    • http://www.paf.mil.ph/In RTF body
    • http://www.army.mil.ph/In RTF body
    • http://www.coastguard.gov.ph/In RTF body
    • http://www.ndrrmc.gov.phIn RTF body
    • http://www.ndcp.edu.ph/In RTF body
    • http://www.dilg.gov.phIn RTF body
    • http://pctc.gov.ph/In RTF body
    • http://pnp.gov.ph/portal/In RTF body
    • http://www.doj.gov.ph/index.htmlIn RTF body
    • http://www.nbi.gov.phIn RTF body
    • http://www.iacat.net/In RTF body
    • http://www.osg.gov.phIn RTF body
    • http://opapp.gov.ph/In RTF body
    • http://www.ddb.gov.phIn RTF body
    • http://www.pdea.gov.phIn RTF body
    • http://www.pms.gov.ph/In RTF body
    • http://www.pnri.dost.gov.ph/In RTF body
    • http://www.comelec.gov.ph/?r=AboutCOMELEC/OrganizationalInfo/ContactInformation/MainOfficeIn RTF body
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000001f.bin rtf-objdata-decoded RTF \objdata at offset 0x1F 53 bytes
SHA-256: 27dedb23bebf4c25762971c4eb486b0f3873347bf82424ea00f742257e85dac5
objdata_01_off000000e1.bin rtf-objdata-decoded RTF \objdata at offset 0xE1 50737 bytes
SHA-256: fa8fa143ec5e1c13d6fc47ea2c648d3170d0198df673aa93d3061b30b6962788
objdata_02_off000193cc.bin rtf-objdata-decoded RTF \objdata at offset 0x193CC 31281 bytes
SHA-256: 43d09ede2f45c345e4c4f81b07c63d22c3263a033a48a64587717765efb77fe9
Detection
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
objdata_03_off00028c57.bin rtf-objdata-decoded RTF \objdata at offset 0x28C57 50737 bytes
SHA-256: 23359808b0323878be921ef6997fdbb95ee1a65f135ae7d01561575673843b6b
Detection
ClamAV: Win.Exploit.Call4_Dword_Xor-1
Obfuscation or payload: unlikely