Malicious RTF — malware analysis report

Static analysis result for SHA-256 29199502bec9e76d…

MALICIOUS

RTF

2.12 MB Created: 2020-06-15 15:17:00 First seen: 2021-07-07
MD5: edc1f57dceff058f3cc3570a34f9487f SHA-1: 651c2349cc58d69fb2ad518aa4a7b304f54bb0d0 SHA-256: 29199502bec9e76dba88112c5bb0bafc8817dfaa2d7a4195d7d693ed8337f483
202 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and exhibits characteristics of the CVE-2017-8570 vulnerability, which is known to drop SCT scripts. The presence of excessive hex data and composite monikers further suggests the embedding of malicious content. While the document body appears to be medical information, the underlying RTF structure indicates an attempt to execute a secondary payload.

Heuristics 6

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1217KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0020be74.bin rtf-objdata-decoded RTF \objdata at offset 0x20BE74 5673 bytes
SHA-256: 931799736a3e911cd04e2fe67b71883d6ca6e5064972156b832c4734221b2836

Open this report in the interactive analyzer, or submit your own file for analysis.