RTF malware analysis — malicious · 1636afb93168bbba

MALICIOUS

RTF

1.75 MB Created: 2010-05-10 09:16:00

MD5: ab73782cff86230475599523fdab3ac2 SHA-1: 71ff6c36ba3f2939913a30ffec81f8b3e4144180 SHA-256: 1636afb93168bbba4df4dbc7eac85fe6d8107fd5864c824257b02910f7087593

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects with a significant amount of hex-encoded data, which is a common technique for hiding malicious payloads. The presence of a composite moniker further indicates potential exploitation. While the document body discusses a liability waiver, the heuristics strongly suggest the RTF is a container for malicious content rather than a benign document.

Heuristics 5

Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1802KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000025b4.bin` `59c9b8c3e9149d04bba7292da8cad0562fbe44a50a8fb6ca97d064f9a8aab7c7`	rtf-objdata-decoded	RTF \objdata at offset 0x25B4	181726 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.