Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 3ae7f36cf03f8c68…

MALICIOUS

RTF / .DOC

334.3 KB
MD5: ac66404b217e9268c155cf994dc143ce SHA-1: 0cff5075634b8d07dc15c2caa6fd7a0d561be09e SHA-256: 3ae7f36cf03f8c687a74f9595d5839d80a712d97ded308268c86f20db3d397c2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Compromise T1566.001 Privilege Escalation T1071.002 Remote Services Execution T1071.003 Application Services - Malware Dropper T1071.005 User Execution: Malicious File

The file exhibits multiple RTF heuristics indicative of an OLE-based dropper. The presence of \_objdata, \_objemb, \_objautlink, and \_objupdate control words strongly suggests an attempt to exploit CVE-2017-8570 (Equation Editor). The \_objupdate control word, combined with the \_objdata sections, forces the instantiation of a vulnerable OLE object, likely EQNEDT32.EXE, triggering the exploit. The document's instruction to enable macros further supports this delivery mechanism, bypassing security settings. The Composite Moniker evidence suggests an attempt to leverage a related attack surface, though it doesn't confirm a direct CVE-2017-8570 exploit.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000965.bin
4cdecf2d1e4ef692c65d40e2725fdccf11de2026970e3b6dd649ecb74aad8edc		 rtf-objdata-decoded RTF \objdata at offset 0x965 59603 bytes
objdata_01_off00007114.bin
22d33ac3e4dfb4e785c15b557a69b7c77848a6865b0e7a43b1c50d3519c061a2		 rtf-objdata-decoded RTF \objdata at offset 0x7114 59576 bytes
objdata_02_off000255c3.bin
a8e170497da15decc11753d202c99c86f7a7ffd2d52481e6b9c79a5403675379		 rtf-objdata-decoded RTF \objdata at offset 0x255C3 2632 bytes
objdata_03_off00026b66.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x26B66 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.