Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4756801203243db6…

MALICIOUS

RTF / .DOC

233.5 KB First seen: 2022-06-21
MD5: 0cdb29ddc64df2bcce439009258b5793 SHA-1: 32d851234808ee1412d8623b15378c51b723393e SHA-256: 4756801203243db65820ae473cc9fe90f87a2a15e4ab6f8d15df42f7c9cfe365
220 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic

The RTF document contains OLE object data and triggers an objupdate event, indicating an attempt to activate embedded objects. Heuristics confirm the exploitation of CVE-2017-8570, which is known to drop SCT scripts. The document body includes a common lure instructing the user to 'Enable Editing' to view the content, facilitating the exploit. This suggests the file is designed to drop and execute a malicious script via the CVE-2017-8570 vulnerability.

Heuristics 7

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ba4.bin
739b7936caef3a3472bf3e9afdc5094c89863b8e612caf226cd89a6640937e11		 rtf-objdata-decoded RTF \objdata at offset 0xBA4 23108 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
objdata_01_off0000c802.bin
4aa0e7f5ab53bb62fd4a60818892a21fcbe35dba260d2112984f00988c699ebb		 rtf-objdata-decoded RTF \objdata at offset 0xC802 2632 bytes
objdata_02_off0000dda5.bin
142dc43284d9abe994719f8fb67bc4c04bfc3f07528a1a66b0bad7e552ee8e78		 rtf-objdata-decoded RTF \objdata at offset 0xDDA5 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.