Malicious RTF — malware analysis report

Static analysis result for SHA-256 06f45020ed4810f9…

MALICIOUS

RTF

710.0 KB Created: 2014-10-15 15:58:00 First seen: 2020-04-06
MD5: 307f6ca55b9749b590a414e31f43743f SHA-1: fc7bbfda820816795bd3c75625222195ec30b362 SHA-256: 06f45020ed4810f9cb6b20f6dadbbe2838c7c37c77f26ec1b18e0536f05c15ab
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of exploitation, specifically related to CVE-2017-8570 and CVE-2017-0199, which are known to drop SCT scripts. The presence of OLE object data and composite monikers strongly suggests an attempt to execute arbitrary code. While the document body appears benign, the underlying exploit mechanism is clear.

Heuristics 7

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • OLE object data medium RTF_OBJDATA
    RTF contains 30 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
    • http://at-share.anntaylor.com/sites/labdiptracking/Shared%20Documents/Corporate%20Color%20Chart/Corporate%20Color%20Chart.xlsxIn RTF body

Extracted artifacts 30

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000038a9.bin rtf-objdata-decoded RTF \objdata at offset 0x38A9 4137 bytes
SHA-256: 360ada652c4a1f4e21631c5cc7ccf7610aeeff29fb726808d94b65e899a9298b
objdata_01_off000064b7.bin rtf-objdata-decoded RTF \objdata at offset 0x64B7 4137 bytes
SHA-256: 6c49898621153219b873ac97286c6ab2c02ef1e98193aa2fc3540388bcde9726
objdata_02_off0000910f.bin rtf-objdata-decoded RTF \objdata at offset 0x910F 4137 bytes
SHA-256: 2e4a20cb5a5a8f4b7b4599a452024214e70dd55f075ac958454cc621b57e6435
objdata_03_off0000bda6.bin rtf-objdata-decoded RTF \objdata at offset 0xBDA6 4137 bytes
SHA-256: 20a55e5b6c35cca070214cceb98a2a759496763e6abbdb46b739d663a34dab5d
objdata_04_off0000ea0e.bin rtf-objdata-decoded RTF \objdata at offset 0xEA0E 4137 bytes
SHA-256: 72590a9939dd2f85d851cc57aeb5ad8a87b0178c8327e8fa6480093eb5879786
objdata_05_off00011d60.bin rtf-objdata-decoded RTF \objdata at offset 0x11D60 4137 bytes
SHA-256: 1b4b9e66e52234a5035a986e6bafa340c603d0af5d2b911426edb5e513dc533c
objdata_06_off0001497f.bin rtf-objdata-decoded RTF \objdata at offset 0x1497F 4137 bytes
SHA-256: 90d42d34e0937111d609a89328f3710d0d29aea78c17e433a79b183edf41727d
objdata_07_off00017520.bin rtf-objdata-decoded RTF \objdata at offset 0x17520 4137 bytes
SHA-256: babba320339884974a6fdb8c7312c83a41d88523ae79011b3d48eaf1fc386c6e
objdata_08_off0001a06a.bin rtf-objdata-decoded RTF \objdata at offset 0x1A06A 4137 bytes
SHA-256: 2b069f8de9b5c1faa14ec18b881f8d8a6fd4f2bfd995049003abdd855d6567d4
objdata_09_off0001cc0b.bin rtf-objdata-decoded RTF \objdata at offset 0x1CC0B 4137 bytes
SHA-256: b3bfb61d0abad565171322f39fdeb0f55319239891ce964289d63d05beb8d67b
objdata_10_off0001fe74.bin rtf-objdata-decoded RTF \objdata at offset 0x1FE74 4137 bytes
SHA-256: a4ac60628dc26f7ecdaa491bec777c6a249b5f45f032785812f7e7083e3490b6
objdata_11_off00022a13.bin rtf-objdata-decoded RTF \objdata at offset 0x22A13 4137 bytes
SHA-256: 336417f44a4cf82be25b5cc28e3e79d6220a5d6bf356f33c35469d6bba382420
objdata_12_off000255ae.bin rtf-objdata-decoded RTF \objdata at offset 0x255AE 4137 bytes
SHA-256: b42d3d7353fe77346f1d08b7371cfeab52fa6a708ee0f187d855307357545ed3
objdata_13_off000280f9.bin rtf-objdata-decoded RTF \objdata at offset 0x280F9 4137 bytes
SHA-256: 1087cc9e6716a15a14d7400077213f8a5841fb44c4e95d43c59835cbb4e9b163
objdata_14_off0002ac4b.bin rtf-objdata-decoded RTF \objdata at offset 0x2AC4B 4137 bytes
SHA-256: 40475749465a672ccb50fdf0f894c5a2d181984a34df412ce46470e4d6554ce6
objdata_15_off0002de28.bin rtf-objdata-decoded RTF \objdata at offset 0x2DE28 4137 bytes
SHA-256: 1c6c31b1f6d0028d467c1744d77dd58ff1d0cbd97c52639d84527a7266271509
objdata_16_off000308e5.bin rtf-objdata-decoded RTF \objdata at offset 0x308E5 4137 bytes
SHA-256: a8d5975b45407fe6b5b63fd6962ffb3ac57cc6d33f440d15e191a1eb9f11e8c3
objdata_17_off00033350.bin rtf-objdata-decoded RTF \objdata at offset 0x33350 4137 bytes
SHA-256: 1d08f93e6f329b0be8356a75b73dbd0cbb377f8317661bee64103f5f8ed1b2d9
objdata_18_off00035db9.bin rtf-objdata-decoded RTF \objdata at offset 0x35DB9 4137 bytes
SHA-256: 659472e50506898926ef327cacb3df66d2bf0967374e684f21498f9a52f877ec
objdata_19_off00038897.bin rtf-objdata-decoded RTF \objdata at offset 0x38897 4137 bytes
SHA-256: cfd257015e35d2809d4d58b0410962f9863c393a031600363d969de189351ee7
objdata_20_off0003baad.bin rtf-objdata-decoded RTF \objdata at offset 0x3BAAD 4137 bytes
SHA-256: 1861d3ce5518f1f51822d61bf8e734a8bb046bb8e8d1e7984299dd472b902381
objdata_21_off0003e5e3.bin rtf-objdata-decoded RTF \objdata at offset 0x3E5E3 4137 bytes
SHA-256: 2231ffc15e9e1b8d27d701ccfdb67b23b2b744662bfa29c1b2187a8e1e13ec36
objdata_22_off00041164.bin rtf-objdata-decoded RTF \objdata at offset 0x41164 4137 bytes
SHA-256: 65f385986bcadfc8ac8430f605f01cdff8922a5febed82e72a01a3ea2622332c
objdata_23_off00043cfc.bin rtf-objdata-decoded RTF \objdata at offset 0x43CFC 4137 bytes
SHA-256: a7bf8abbb4e5561842fdffa7f8f9939d988507f945bbab49bd6878d5c83d3e9c
objdata_24_off00046895.bin rtf-objdata-decoded RTF \objdata at offset 0x46895 4137 bytes
SHA-256: 0f6dcde1c2aa4aba089cc107573c01e8fd42bbe0e790b47bfddf0ca50d074b0b
objdata_25_off00049a98.bin rtf-objdata-decoded RTF \objdata at offset 0x49A98 4137 bytes
SHA-256: 0d62ff8fda49f3fc9d178e7fadbdf699ef16ebd939223745c1b9c928d2d483ea
objdata_26_off0004c62e.bin rtf-objdata-decoded RTF \objdata at offset 0x4C62E 4137 bytes
SHA-256: 1ef3239429d4a3b0899a11d112440e134a6572a77ac1575a7b022badaed29acf
objdata_27_off0004f16b.bin rtf-objdata-decoded RTF \objdata at offset 0x4F16B 4137 bytes
SHA-256: 08e9674bb5c96f9fe6ef2ae9c52d8d53348298a6167783b1ab3d49eba502effb
objdata_28_off00051cfd.bin rtf-objdata-decoded RTF \objdata at offset 0x51CFD 4137 bytes
SHA-256: c1af4f4e524921605e76fe804110c0370d8d98583022bcc3cc189ff831b60c82
objdata_29_off0005488f.bin rtf-objdata-decoded RTF \objdata at offset 0x5488F 4137 bytes
SHA-256: 5c9688ab59c5e1feb1100bbb14ea6571115aa34e83bc413efb30282732c9b7ab