Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 346e29f3720f527f…

MALICIOUS

RTF / .DOC

460.0 KB
MD5: da34cd51aa573a74ef916bae611d4b50 SHA-1: 00b460c37b8d0ac782c0db13ed00d7795c668958 SHA-256: 346e29f3720f527f532d564b78623e6c94346bf0fc42ad7fe90f0182918937c5
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model T1204.002 Malicious File

The RTF document contains multiple OLE objects, with several heuristics indicating automatic linking and update mechanisms designed to trigger execution. The presence of ".objdata" and ".objemb" sections strongly suggests the embedding of executable content. No document body or scripts were extracted, making it impossible to determine the specific lure or payload.

Heuristics 5

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007da.bin
99eb372baf256e65e94da5509e4d20a0abad8a370549ac4ca11d7cd9f2c15dc0		 rtf-objdata-decoded RTF \objdata at offset 0x7DA 121670 bytes
objdata_01_off00006f89.bin
b0d1542dfae89a9ce08c94f646e1231e62a7b7e8ec569d387464e0c7aae8acb5		 rtf-objdata-decoded RTF \objdata at offset 0x6F89 121643 bytes
objdata_02_off00044c84.bin
32e8e449cdc043249ce37c79c9eaf2af80a02cb8175718a8a0ce726d961b7d16		 rtf-objdata-decoded RTF \objdata at offset 0x44C84 2632 bytes
objdata_03_off00046227.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x46227 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.