Malicious RTF — malware analysis report

Static analysis result for SHA-256 eeb5105bc3ed943f…

MALICIOUS

RTF

6.63 MB Created: 2014-11-14 09:46:00 First seen: 2015-03-15
MD5: c04ba0b52359106ce58b51659c146694 SHA-1: d40b593a60f2cd90ba38eff8ff88de37cbd54078 SHA-256: eeb5105bc3ed943f15972a6479d746c7455646c38d3f4dcc461caacfc6063b06
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of malicious activity, including heap spray patterns, OLE object data, and a high likelihood of exploiting CVE-2012-0158. The embedded URL points to an executable file, suggesting the document's primary purpose is to download and run a second-stage payload. The large amount of hex-encoded data within the OLE objects further supports the presence of hidden malicious content.

Heuristics 6

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0063552E  41                inc ecx
0063552F  41                inc ecx
00635530  41                inc ecx
00635531  41                inc ecx
00635532  41                inc ecx
00635533  41                inc ecx
00635534  41                inc ecx
00635535  41                inc ecx
00635536  41                inc ecx
00635537  41                inc ecx
00635538  41                inc ecx
00635539  41                inc ecx
0063553A  41                inc ecx
0063553B  41                inc ecx
0063553C  41                inc ecx
0063553D  41                inc ecx
0063553E  41                inc ecx
0063553F  41                inc ecx
00635540  41                inc ecx
00635541  41                inc ecx
00635542  41                inc ecx
00635543  41                inc ecx
00635544  41                inc ecx
00635545  41                inc ecx
00635546  41                inc ecx
00635547  41                inc ecx
00635548  41                inc ecx
00635549  41                inc ecx
0063554A  41                inc ecx
0063554B  41                inc ecx
0063554C  41                inc ecx
0063554D  41                inc ecx
0063554E  41                inc ecx
0063554F  41                inc ecx
00635550  41                inc ecx
00635551  41                inc ecx
00635552  41                inc ecx
00635553  41                inc ecx
00635554  41                inc ecx
00635555  41                inc ecx
00635556  41                inc ecx
00635557  41                inc ecx
00635558  41                inc ecx
00635559  41                inc ecx
0063555A  41                inc ecx
0063555B  41                inc ecx
0063555C  41                inc ecx
0063555D  41                inc ecx
0063555E  41                inc ecx
0063555F  41                inc ecx
00635560  41                inc ecx
00635561  41                inc ecx
00635562  41                inc ecx
00635563  41                inc ecx
00635564  41                inc ecx
00635565  41                inc ecx
00635566  41                inc ecx
00635567  41                inc ecx
00635568  41                inc ecx
00635569  41                inc ecx
0063556A  41                inc ecx
0063556B  41                inc ecx
0063556C  41                inc ecx
0063556D  41                inc ecx
0063556E  41                inc ecx
0063556F  41                inc ecx
00635570  41                inc ecx
00635571  41                inc ecx
00635572  41                inc ecx
00635573  41                inc ecx
00635574  41                inc ecx
00635575  41                inc ecx
00635576  41                inc ecx
00635577  41                inc ecx
00635578  41                inc ecx
00635579  41                inc ecx
0063557A  41                inc ecx
0063557B  41                inc ecx
0063557C  41                inc ecx
0063557D  41                inc ecx
0063557E  41                inc ecx
0063557F  41                inc ecx
00635580  41                inc ecx
00635581  41                inc ecx
00635582  41                inc ecx
00635583  41                inc ecx
00635584  41                inc ecx
00635585  41                inc ecx
00635586  41                inc ecx
00635587  41                inc ecx
00635588  41                inc ecx
00635589  41                inc ecx
0063558A  41                inc ecx
0063558B  41                inc ecx
0063558C  41                inc ecx
0063558D  41                inc ecx
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~6497KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://swetlanazhukova.ru/wp-content/themes/deal/alitalia.exe In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0063f90d.bin rtf-objdata-decoded RTF \objdata at offset 0x63F90D 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_01_off00648123.bin rtf-objdata-decoded RTF \objdata at offset 0x648123 4880 bytes
SHA-256: c66c418585862289607a8a56ade0f731a24c2e14389ed72c994f38ade764419f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS
objdata_02_off00650ae8.bin rtf-objdata-decoded RTF \objdata at offset 0x650AE8 2353 bytes
SHA-256: efc67427605ac702178de53f9d9379d7180885a26f5530c4c9d82f7b5b808e39

Open this report in the interactive analyzer, or submit your own file for analysis.