Malicious RTF — malware analysis report

Static analysis result for SHA-256 164745cb5657a563…

MALICIOUS

RTF

570.6 KB Created: 2014-10-15 15:58:00 First seen: 2019-09-30
MD5: a258337c6fb9d4494dd1aff8e6b4dd2c SHA-1: 7e4458d9dd57847d877d2a8807b89f495fb1e9cb SHA-256: 164745cb5657a5637be6a4f6279104ccb1295acbacb2f955b678f7ca4283bc71
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple OLE objects and triggers critical heuristics for CVE-2017-8570 and ClamAV's Rtf.Exploit.CVE_2017_0199-6335035-0 detection. This indicates the file is designed to exploit these vulnerabilities, likely to execute a secondary payload such as a script. The document body content appears to be color codes and product numbers, which is likely a lure or obfuscation.

Heuristics 7

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • OLE object data medium RTF_OBJDATA
    RTF contains 15 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
    • http://at-share.anntaylor.com/sites/labdiptracking/Shared%20Documents/Corporate%20Color%20Chart/Corporate%20Color%20Chart.xlsxIn RTF body

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003884.bin rtf-objdata-decoded RTF \objdata at offset 0x3884 4137 bytes
SHA-256: 8ceedecbcd87a7b56530b3353bb2b2d8cbe113023e740962617ad2f109883c83
objdata_01_off000063c7.bin rtf-objdata-decoded RTF \objdata at offset 0x63C7 4137 bytes
SHA-256: 25774a5f3bfaaeaa85d40c557e7a37b4665e67954f68d6db1c6a6c2005143e73
objdata_02_off000090a0.bin rtf-objdata-decoded RTF \objdata at offset 0x90A0 4137 bytes
SHA-256: b86410a6cb7eff00a5d8e2c5ad9274825e22f7f01bf83dfce4de998d7869319a
objdata_03_off0000bcb8.bin rtf-objdata-decoded RTF \objdata at offset 0xBCB8 4137 bytes
SHA-256: 525300095a4462a055cfb9b0828f46c7158c4c41e241abaa1a3e4c370b4dc1de
objdata_04_off0000e8ca.bin rtf-objdata-decoded RTF \objdata at offset 0xE8CA 4137 bytes
SHA-256: 68ee7282168ad8dd04e3e9818900a44611ed63e56617fa4779c3d317f2a19c3d
objdata_05_off00011c1c.bin rtf-objdata-decoded RTF \objdata at offset 0x11C1C 4137 bytes
SHA-256: 9edf9d0287e7c69b6ab3a692c19abc5a7e4728788a6f2b8ad0187e0145fc8d09
objdata_06_off0001483b.bin rtf-objdata-decoded RTF \objdata at offset 0x1483B 4137 bytes
SHA-256: 28b9a401de81747b2ffb349f694a4a99438bf0032d65512ee7faa4bfd7228575
objdata_07_off000173dc.bin rtf-objdata-decoded RTF \objdata at offset 0x173DC 4137 bytes
SHA-256: 81f776699fab28d74199e3268ecee183a35dc56a8b05812e5d8222285d0b815f
objdata_08_off00019f26.bin rtf-objdata-decoded RTF \objdata at offset 0x19F26 4137 bytes
SHA-256: 8b1ddee0cd75c9c42863002667311cc0601e4a555da9640832a4a8b423cecbe9
objdata_09_off0001cac7.bin rtf-objdata-decoded RTF \objdata at offset 0x1CAC7 4137 bytes
SHA-256: 416a4706dabc5b2684f50e8102c563499c991171c98c7bf4d506942422579e0d
objdata_10_off0001fd30.bin rtf-objdata-decoded RTF \objdata at offset 0x1FD30 4137 bytes
SHA-256: f68cdd6fd2f59230a8a515a53f81fa89688b8a8dbeddf97a86dc252062be8122
objdata_11_off000228cf.bin rtf-objdata-decoded RTF \objdata at offset 0x228CF 4137 bytes
SHA-256: 0ed3290d0e1ba6e7ea714b53ac9720d098d1d9f8a7b617e2bb580994ceec4b11
objdata_12_off0002546a.bin rtf-objdata-decoded RTF \objdata at offset 0x2546A 4137 bytes
SHA-256: 22830ccde31145e1215610c74c11eb5608126ef203fc39597e2b405a040241ea
objdata_13_off00027fb5.bin rtf-objdata-decoded RTF \objdata at offset 0x27FB5 4137 bytes
SHA-256: 6aef8061a9f191759d11aa4c9257500479566e99b230f4fe3211bc23878961d6
objdata_14_off0002ab07.bin rtf-objdata-decoded RTF \objdata at offset 0x2AB07 4137 bytes
SHA-256: 1a5428e5f5e7286faa781ff8805369828fe941a081512fe37ecccb3ff9d9d74c