Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 3dfa5c045488b694…

MALICIOUS

RTF / .DOC

393.4 KB Created: 2021-09-29 02:46:00
MD5: 20ebabf1b737d2e16a2290953d886320 SHA-1: 95fe89caa549666a880dbd067a0d49ad712715da SHA-256: 3dfa5c045488b69407370bbe79536e6fc9e98bfe9e8ee744b4473b5e8f474766
182 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The RTF document contains multiple indicators of malicious OLE objects, including composite monikers and automatically linked objects. The presence of a macro-enable lure suggests the document is designed to prompt user interaction to bypass security measures. This pattern is commonly used by malware droppers to download and execute further stages. No scripts were extracted, limiting the ability to determine the exact payload delivery mechanism.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a7b.bin
77d2efea94de0d97dafe94cceaaf0f2ec493608ac1b67f043a3f8b1a823b7d02		 rtf-objdata-decoded RTF \objdata at offset 0x2A7B 175909 bytes
objdata_01_off0005954d.bin
72af50ac9cdfe0d0ad3c5149993a00bbecbb7062dc91710a21a3f65b768d9df7		 rtf-objdata-decoded RTF \objdata at offset 0x5954D 7872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.