Malicious RTF — malware analysis report

Static analysis result for SHA-256 ed82cdb2ec4c7bb3…

MALICIOUS

RTF

790.9 KB Created: 2018-04-18 02:07:00 First seen: 2018-04-30
MD5: 530de6679b4252ee610f981f5733df2d SHA-1: 1e3969c8eb5e32ae2bc705793892775693033278 SHA-256: ed82cdb2ec4c7bb3e5b107d3b3f431af2d2970dd46d1d1dc9bf47412d6edabc9
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c3e.bin rtf-objdata-decoded RTF \objdata at offset 0x2C3E 26171 bytes
SHA-256: 2168fd269d6a365dcbf1b98c55482e76233b51f20d876d2575805c3db3729f98
objdata_01_off0001584f.bin rtf-objdata-decoded RTF \objdata at offset 0x1584F 26171 bytes
SHA-256: 4fc19de7888f34def225b35abb56a159b559009bdccc5018b91a9310d2434d89
objdata_02_off00028460.bin rtf-objdata-decoded RTF \objdata at offset 0x28460 26171 bytes
SHA-256: e6174de823241c4f4f77e0fd216487d8a7b80fe069b556a76e2151641c736dac
objdata_03_off0003b071.bin rtf-objdata-decoded RTF \objdata at offset 0x3B071 26171 bytes
SHA-256: 7ecac4f3af6791b691f202d847e90eb4e74bae4c65b3102f74ceeebd34c0ee7e
objdata_04_off0004dc82.bin rtf-objdata-decoded RTF \objdata at offset 0x4DC82 26171 bytes
SHA-256: 1065e2815e2535ebd0594cd99fbb7538b175c946f140db5851e5711c2792e681
objdata_05_off000608db.bin rtf-objdata-decoded RTF \objdata at offset 0x608DB 26171 bytes
SHA-256: 3e4c104d7387ed60e9f051f0493194a9870776f33a7e1a5b355576a6f9a69d4e
objdata_06_off000734ec.bin rtf-objdata-decoded RTF \objdata at offset 0x734EC 26171 bytes
SHA-256: 9edfc40dc4f021020daf3ba064440d5f62eaccc5c0dbc7069ad67bbf3082ebb5
objdata_07_off000860fd.bin rtf-objdata-decoded RTF \objdata at offset 0x860FD 26171 bytes
SHA-256: 3aba8925f6b095f2ee8ad0eb1e6710a45e3ba941cb7353e7a90b95aa9eec275c
objdata_08_off00098d0e.bin rtf-objdata-decoded RTF \objdata at offset 0x98D0E 26171 bytes
SHA-256: 2ee22cd2fe3d957f17d28f85e2512833fc0318bc2dbb2e01ebd651e1d04ecd31
objdata_09_off000ab91f.bin rtf-objdata-decoded RTF \objdata at offset 0xAB91F 26171 bytes
SHA-256: 6e99bf85aaef54184645aae77a5922468d8a15b36e00b7faa98bc54df915d16f