Bladabindi — RTF / .DOC malware analysis

Static analysis result for SHA-256 4b26b2e6509de519…

MALICIOUS

RTF / .DOC

3.36 MB
MD5: 8fb76570d8bce580c2f0ec5c53bb1b4b SHA-1: fb3c060cf9623dd89bfa62334b4eb417be5b8165 SHA-256: 4b26b2e6509de519c27c0368451d1ae56eb495eed0a10c1fbb40394cb4314a17
400 Risk Score

Malware Insights

Bladabindi · confidence 90%

MITRE ATT&CK
T1204.002 User Execution: Malicious File T1027 Obfuscated Files or Information T1204.001 User Execution: Malicious Link

The sample is an RTF document containing a lure instructing the user to 'Decrypt the document by Enable Editing DP'. It uses embedded OLE objects and a Composite Moniker to force activation, which drops a PE file identified by ClamAV as Win.Packed.Bladabindi-10017208-0. The presence of a large hex-encoded block containing an MZ header confirms the delivery of an executable payload.

Heuristics 10

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~3451KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000021b.bin
c5a8f00377482820f4a5f0f6b05195cf5e9d3578855dae95f61bfbd734f1351d		 rtf-objdata-decoded RTF \objdata at offset 0x21B 1725881 bytes
Detection
ClamAV: Win.Packed.Bladabindi-10017208-0
Obfuscation or payload: unlikely
objdata_01_off0034ade0.bin
c45ba56ef1e520c0839063477a0bbc130147492b329b910107ccdc9fe0f361f7		 rtf-objdata-decoded RTF \objdata at offset 0x34ADE0 29561 bytes
objdata_02_off00359b5e.bin
ec53aedbaabf3151b202b3fe0dee656c68fcacde807e6cc3e964f68367d56d1d		 rtf-objdata-decoded RTF \objdata at offset 0x359B5E 1731 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.