Gandcrab — RTF malware analysis

Static analysis result for SHA-256 2fcab21d4d5863ef…

MALICIOUS

RTF

600.8 KB
MD5: c0d376a5461e08532976193aebacaf6a SHA-1: 34cd5e91428e6060a760037741258a8ec8e10921 SHA-256: 2fcab21d4d5863ef934dd19e96379fb5e796b9ae4d77d1d6784bfc25887ffacb
402 Risk Score

Malware Insights

Gandcrab · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF file contains multiple indicators of exploitation, including OLE object data, Equation Editor CLSID, and an \objupdate directive that forces OLE activation. A critical heuristic also detected PE header in hex data, suggesting an embedded executable. The ClamAV detection of 'Win.Dropper.Gandcrab-7077551-0' strongly indicates the Gandcrab family. The embedded URL 'http://test1.ru/newbuild/t.php?thread=0&stats=send' is likely used to download the secondary payload, a common tactic for droppers.

Heuristics 11

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • ClamAV: Win.Dropper.Gandcrab-7077551-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Gandcrab-7077551-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://test1.ru/newbuild/t.php?thread=0&stats=send

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00007cbe.bin
fa79b00817f7495218632b8aca05100fc72b724a674512e970aa8642ceaa44bc		 rtf-objdata-decoded RTF \objdata at offset 0x7CBE 400 bytes
objdata_01_off00008018.bin
3551e8760858acd634d3f6b302914241bc116265a58fed1310927156cc70c478		 rtf-objdata-decoded RTF \objdata at offset 0x8018 280507 bytes
Detection
ClamAV: Win.Dropper.Gandcrab-7077551-0
Obfuscation or payload: likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
objdata_02_off00090fd3.bin
c0a435900c2ed48b7906f5cf024a4a696f4ab519935c32e0004018c81174035c		 rtf-objdata-decoded RTF \objdata at offset 0x90FD3 340 bytes
objdata_03_off000912b7.bin
7c7961204875b936d10aaa8ad3249440ed73f12da44c0f8aa0ff94a85cf9048c		 rtf-objdata-decoded RTF \objdata at offset 0x912B7 1643 bytes
objdata_04_off00091fcb.bin
170399a741f8364bbf06cec53623f93687bf2c6434dbf9ab2555fa18fa82966d		 rtf-objdata-decoded RTF \objdata at offset 0x91FCB 797 bytes
objdata_05_off00092696.bin
67aabc6a6a58269ee7bdebda3b9c1bd073bd0740eba9e5936a2dc80fdfc8379d		 rtf-objdata-decoded RTF \objdata at offset 0x92696 2620 bytes
objdata_06_off00093c9f.bin
75bdf0d3e6198ce8609d72f965634443d1596df6ed427f655b94bb1d92e195e5		 rtf-objdata-decoded RTF \objdata at offset 0x93C9F 4681 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.