Malicious RTF — malware analysis report

Static analysis result for SHA-256 f967feafa6c51066…

MALICIOUS

RTF

386.4 KB Created: 2021-10-03 23:55:00 First seen: 2021-10-11
MD5: 0ce5277179665fcaf70ac9cce191fdfb SHA-1: fc5864f858fe8f83aeb7609e8fbf76c07093b7ca SHA-256: f967feafa6c510665d9cdce40820cc1407840466eb0d385dcc9232a060ade00f
282 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple critical heuristic firings indicating exploitation of CVE-2017-8570 and CVE-2017-8759. These vulnerabilities are known to be used to drop and execute script files, enabling arbitrary code execution. The presence of OLE object data and automatic linking further supports the exploitation of these vulnerabilities for malicious purposes.

Heuristics 8

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000145b0.bin rtf-objdata-decoded RTF \objdata at offset 0x145B0 59049 bytes
SHA-256: 9fab71fca53c01eb0c0cc7f250bb4b68d75569cd24120673336da801b0f9c62f
objdata_01_off00032617.bin rtf-objdata-decoded RTF \objdata at offset 0x32617 2632 bytes
SHA-256: 9d9bc825f2fa5e0ed8db7dce6823e199ad9c775873472d42887214589f205470
objdata_02_off00033bba.bin rtf-objdata-decoded RTF \objdata at offset 0x33BBA 12297 bytes
SHA-256: 44deae4627fee3c44f54d5bd10477ec2e17f4c08135f08e2417832e36d10d037

Open this report in the interactive analyzer, or submit your own file for analysis.