Malicious RTF — malware analysis report

Static analysis result for SHA-256 eed09fa713e54170…

MALICIOUS

RTF

791.0 KB Created: 2018-04-18 01:59:00 First seen: 2018-04-30
MD5: 0e495b1e38ce80e0ba31c73a5203d09b SHA-1: 3a433e05a4e19799da80815050717be54d8f596b SHA-256: eed09fa713e5417090636b85fb30954b82ad2afc39d69c64db4bd68a9a8fe713
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an ".objupdate" command, which is indicative of exploiting vulnerabilities like CVE-2017-8759 for client execution. ClamAV detections further confirm its malicious nature, flagging it as Doc.Macro.Obfuscation. The primary attack vector is likely spearphishing attachment, with the embedded OLE object serving as the mechanism to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Doc.Dropper.Agent-6547894-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6547894-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c4d.bin rtf-objdata-decoded RTF \objdata at offset 0x2C4D 26171 bytes
SHA-256: 370d1ac94c4acadb336f2dcce9cde8fc90381bdff94e092f143d07e6a7ae5cf6
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_01_off0001586a.bin rtf-objdata-decoded RTF \objdata at offset 0x1586A 26171 bytes
SHA-256: 6ddf1b903caf1bd2d0d8e8d8ee3e758168d6ceeb5cd9fe8f7de8ee2f4cb98fc8
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_02_off00028487.bin rtf-objdata-decoded RTF \objdata at offset 0x28487 26171 bytes
SHA-256: 30ba610d67bafd3a410aea005bf9bbac9f36707da48bbdd2680b77c7ba89d1c2
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_03_off0003b0a4.bin rtf-objdata-decoded RTF \objdata at offset 0x3B0A4 26171 bytes
SHA-256: f54f31b1f79f7fd9b4f334c21470e6567b8b135caaf79c5195c30cec4adef733
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_04_off0004dcc1.bin rtf-objdata-decoded RTF \objdata at offset 0x4DCC1 26171 bytes
SHA-256: 2a6bbd5238a2d88ba5fbad9797167ec41cb1b668c29a1156efee2c801c7df963
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_05_off0006092a.bin rtf-objdata-decoded RTF \objdata at offset 0x6092A 26171 bytes
SHA-256: 7b72b52d9cf683b07a01fbe97d265d8693865a96a677a5a48f55f330f05cc6de
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_06_off00073547.bin rtf-objdata-decoded RTF \objdata at offset 0x73547 26171 bytes
SHA-256: d1e9f4cabba184d4fb49053451def87ed18e3626e44b71aa1bca48ccf621561d
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_07_off00086164.bin rtf-objdata-decoded RTF \objdata at offset 0x86164 26171 bytes
SHA-256: b4a921142b7d93aeac3f17a8ad8550d2649ff8726cfad8e3a593e7cca7227328
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_08_off00098d81.bin rtf-objdata-decoded RTF \objdata at offset 0x98D81 26171 bytes
SHA-256: e38436e7d3530243521a1927e9617241f918ff76476c3eb8572dea4d76f5c9e0
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely
objdata_09_off000ab99e.bin rtf-objdata-decoded RTF \objdata at offset 0xAB99E 26171 bytes
SHA-256: 6a4b150c870b5af90147fa70ea0e1bda65bedb4d47c71808386fbf42ebc117df
Detection
ClamAV: Doc.Dropper.Agent-6547894-0
Obfuscation or payload: unlikely