Malicious RTF — malware analysis report

Static analysis result for SHA-256 29e439d60f7fd1fb…

MALICIOUS

RTF

314.2 KB
MD5: e5e047cebac68adab0767c248ea09b7f SHA-1: a51bebabd029ce486d64647f75dfbd4951ce7178 SHA-256: 29e439d60f7fd1fb2203ec8cc1a4fdfcdacd78863bccc859ef2774e005f42715
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE object heuristics, including automatic linking and update triggers, indicating it's designed to activate embedded content. The document body explicitly instructs the user to 'Enable Editing' and 'download the document', which is a common lure for macro-enabled malware. The presence of embedded OLE objects suggests the potential for executing arbitrary code or downloading further stages.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000965.bin
c9f0c696afa29b4fae7db098082965c0577e44eb113cb07d227609349cf4b3e0		 rtf-objdata-decoded RTF \objdata at offset 0x965 49687 bytes
objdata_01_off00007114.bin
fd97cb0f9a2fa4f20d713c2e4a174893fe859dd0e04a8b289f5be946eea99380		 rtf-objdata-decoded RTF \objdata at offset 0x7114 49660 bytes
objdata_02_off00020531.bin
3cd3b7d42e5855c90d6d11c54ef2670ed8970441480cc23f7d39ef08fa1c935b		 rtf-objdata-decoded RTF \objdata at offset 0x20531 2632 bytes
objdata_03_off00021ad4.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x21AD4 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.