Emodldr — RTF malware analysis

Static analysis result for SHA-256 efc27e99c9f65d7d…

MALICIOUS

RTF

1.78 MB Created: 2018-09-28 15:38:00 First seen: 2019-02-10
MD5: 247e052d50cc182b4cf05d2da50ab3f7 SHA-1: 4295a1a7e3205e7e48959e3b30f289a366d97d68 SHA-256: efc27e99c9f65d7d3222479a36231ac65498396786c6c1dc87f4c24eb5d86585
322 Risk Score

Malware Insights

Emodldr · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects with excessive hex-encoded data, and a critical heuristic firing for CVE-2017-8759 indicates exploitation of MSXML SAX OLE activation. This suggests the file is designed to exploit this vulnerability to execute arbitrary code, likely downloading and running a second-stage payload. The ClamAV detection as 'Xls.Malware.Emodldr' further supports this assessment.

Heuristics 9

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Emodldr-10058834-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Emodldr-10058834-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1066KB of hex-encoded data inside \objdata sections — may hide a payload
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002aa0.bin rtf-objdata-decoded RTF \objdata at offset 0x2AA0 169518 bytes
SHA-256: 8f667d088165bd764cc4ea3b64548e42107f7b3cc7d4ce2ffcb631ed8efbc43f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
objdata_01_off0005b9c7.bin rtf-objdata-decoded RTF \objdata at offset 0x5B9C7 169518 bytes
SHA-256: b0db079eb9a86939af2721b6622710d7231b4a53e71ff88244c98ddd351c498d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
objdata_02_off000b48f0.bin rtf-objdata-decoded RTF \objdata at offset 0xB48F0 169518 bytes
SHA-256: e2aac9ce132705de0c264dc05ad29770ef279b06071445af2177335ccd132045
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
objdata_03_off0010d819.bin rtf-objdata-decoded RTF \objdata at offset 0x10D819 169518 bytes
SHA-256: 96c0ba595b4f567aca6f264127fadec88840555398b9f0a4f14488e6dfaad209
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
objdata_04_off00166742.bin rtf-objdata-decoded RTF \objdata at offset 0x166742 169518 bytes
SHA-256: 5be434f7dda363e2c0ba6c77ef8815e5329c9dc34683fb3dc398f6389e56759a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.