Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 479359b567cee405…

MALICIOUS

RTF / .DOC

346.9 KB
MD5: 4cbdbe42f996bfc6ba2c562c363157e0 SHA-1: 92e4078d7cc6a5e8d7095bd24395734ff6120f00 SHA-256: 479359b567cee405775f024ce15266469841505674c198ec25468d89151a5e1f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model T1204.002 Malicious File

The RTF document contains multiple OLE objects, with several heuristics indicating automatic linking and update mechanisms. These features suggest the file is designed to exploit OLE vulnerabilities to execute embedded malicious content when opened. No document body or script content was available for further analysis.

Heuristics 5

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007da.bin
17d101bf271663e80df0c4f1bbf6a7e35eb82f9d1589237fc108091e053e5cca		 rtf-objdata-decoded RTF \objdata at offset 0x7DA 65990 bytes
objdata_01_off00006f89.bin
d2a4d54c85100a373cb80e19d1b88f4c190d0f27e9b56436f040ac0329391b04		 rtf-objdata-decoded RTF \objdata at offset 0x6F89 65963 bytes
objdata_02_off0002881c.bin
32e8e449cdc043249ce37c79c9eaf2af80a02cb8175718a8a0ce726d961b7d16		 rtf-objdata-decoded RTF \objdata at offset 0x2881C 2632 bytes
objdata_03_off00029dbf.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x29DBF 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.