Malicious RTF — malware analysis report

Static analysis result for SHA-256 ec504c6d4812424e…

MALICIOUS

RTF

196.6 KB First seen: 2018-06-21
MD5: d4619fc3e4a6695c0a15c6d9d51c1e3b SHA-1: ae5ca01857222e7cf115e32f60149e6e3d2f9e72 SHA-256: ec504c6d4812424e3c13d54bef572afd80ba8366622b70fe748410955038b78b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and heuristics indicate the use of \objupdate and URL monikers, suggesting exploitation for client execution. The embedded OLE object is likely responsible for downloading and executing a secondary payload, a common technique for initial access via spearphishing attachments.

Heuristics 3

  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003c.bin rtf-objdata-decoded RTF \objdata at offset 0x3C 64348 bytes
SHA-256: b5436c6a1e1e570b7a0d5d7088cb161cbbcfb0174eccb1ac969e958cc0052824