Malicious RTF — malware analysis report

Static analysis result for SHA-256 1f7f28f0d4af716a…

MALICIOUS

RTF

762.4 KB Created: 2020-04-12 12:56:00 First seen: 2021-05-04
MD5: 5ee4ab6af12b3c145b2e4a30db38d5db SHA-1: 478ac9638cc537e81eac20c9b1879f8ecee0c3d2 SHA-256: 1f7f28f0d4af716a49bb90d1076fcdfc7b12c72ff6bd3899533ac7065ca23aaf
242 Risk Score

Heuristics 7

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.frascanada.ca/en/aspe/effective-dates In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
    • https://domvoting-my.sharepoint.com/personal/yash_dave_dominionvoting_com/Documents/Desktop/Financial%20Statements%202020/DIH%20Consolidated%20Draft%20FS%20FYE%202020%20v1.xlsxIn RTF body
    • https://domvoting-my.sharepoint.com/personal/yash_dave_dominionvoting_com/Documents/Desktop/Financial%20Statements%202020/DIH%In RTF body

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000f1fb.bin rtf-objdata-decoded RTF \objdata at offset 0xF1FB 30712 bytes
SHA-256: de6740b2324c978e2cc1ff142d9c3dbd4d8ae78e154d7589c660d3f8b8f043dc
objdata_01_off000261ab.bin rtf-objdata-decoded RTF \objdata at offset 0x261AB 19196 bytes
SHA-256: 9ab67650ffc0af62d9d92dc24f0d43ada64d0fdae4f65cb9c3a73f9debf206fe
objdata_02_off00034cdc.bin rtf-objdata-decoded RTF \objdata at offset 0x34CDC 28268 bytes
SHA-256: 7cb4eae4fd090abb57a7a10518c511f099db1099be20f88162a0cd69d7c51fb0
objdata_03_off000587db.bin rtf-objdata-decoded RTF \objdata at offset 0x587DB 8082 bytes
SHA-256: 22b27da5b421ed3c4078be354aabf02dadd290bf9c8816d35ce3f6574301f0ea
objdata_04_off0005e07e.bin rtf-objdata-decoded RTF \objdata at offset 0x5E07E 14010 bytes
SHA-256: a3db11fa511619467daeda592d048fca6e3c5c872dd69c5763efb23980fdcc05
objdata_05_off0006796a.bin rtf-objdata-decoded RTF \objdata at offset 0x6796A 9354 bytes
SHA-256: f7b334d42a1c60753d8aee9d9fa4d01070361adf496ecedeb2dd3fb5f56f4a87
objdata_06_off0006d76f.bin rtf-objdata-decoded RTF \objdata at offset 0x6D76F 11740 bytes
SHA-256: 4f468ff0025fcdfc493e2a00980505f925c893ea36d48c181c8bffd8d3374e40
objdata_07_off0008056f.bin rtf-objdata-decoded RTF \objdata at offset 0x8056F 34157 bytes
SHA-256: 0983b004448c7fbd83224b59f748bf4e51e7253a9a73d4482adf02e26a881e09

Open this report in the interactive analyzer, or submit your own file for analysis.