Malicious RTF — malware analysis report

Static analysis result for SHA-256 4f2882309009fd91…

MALICIOUS

RTF

487.7 KB First seen: 2022-06-05
MD5: eafcffaffefde51941a66d166e2168b7 SHA-1: 84694bedecef6d7523db413c86e3eed2b8f6c061 SHA-256: 4f2882309009fd919225eb2d0be92bdc38d2bea1e2e861c3655ca87c87ffa042
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1137.001 DLL Search Order Hijacking

The RTF document contains multiple OLE objects, with high-confidence heuristics indicating automatic linking and update mechanisms that force OLE activation. This suggests the document is designed to exploit vulnerabilities within OLE object handling to execute arbitrary code. The document body contains heavily obfuscated or placeholder text, providing no clear user-facing lure.

Heuristics 5

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007f8.bin
ac501e0ad89d72652c6882d56e4875e75e21f79d81448d1fe57646b3f6424862		 rtf-objdata-decoded RTF \objdata at offset 0x7F8 141059 bytes
objdata_01_off00004106.bin
f822b384aeefd57ddbba4e99cc8bb8363087e1dbfc33d7dd6de675d88b9f92a4		 rtf-objdata-decoded RTF \objdata at offset 0x4106 141033 bytes
objdata_02_off0004bb8b.bin
3cd3b7d42e5855c90d6d11c54ef2670ed8970441480cc23f7d39ef08fa1c935b		 rtf-objdata-decoded RTF \objdata at offset 0x4BB8B 2632 bytes
objdata_03_off0004d12e.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x4D12E 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.