MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1204.002 Malicious Link: Malicious File
The RTF document contains multiple OLE objects and uses an 'enable editing' lure to trick the user into activating embedded content. This is a common delivery mechanism for malware droppers. No scripts were extracted from this sample, and the document body text is minimal, providing limited insight into the specific payload.
Heuristics 5
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000ba2.binfb1801225432b9b06ab76d9d6e01a806eb885e10e1f8cb2a97883b1dfd9ee10a |
rtf-objdata-decoded | RTF \objdata at offset 0xBA2 | 47648 bytes |
objdata_01_off00018f64.bin893d8db8585190a273d0c7c3dcff2eb58184b866a3687a9319ca72a8284876cb |
rtf-objdata-decoded | RTF \objdata at offset 0x18F64 | 2632 bytes |
objdata_02_off0001a507.bin44deae4627fee3c44f54d5bd10477ec2e17f4c08135f08e2417832e36d10d037 |
rtf-objdata-decoded | RTF \objdata at offset 0x1A507 | 12297 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.