Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 54b0ff9d62ef4867…

MALICIOUS

RTF / .DOC

346.9 KB
MD5: 46e530bd1d4af9fb8a4524642243161b SHA-1: 6c0b5e411be5c9063ed0132bb66924ae257fe1ed SHA-256: 54b0ff9d62ef4867ba3aea9daa53c21a2b9e7ed772504e960bfc1d568ecb3850
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE objects, with high-confidence heuristics indicating automatic linking and update triggers. These mechanisms are commonly used to embed and execute malicious code, likely leading to the download or execution of a secondary payload. No document body text or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 5

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007da.bin
40b762f177e5753d6be0efff916c9cd4bf88fd43733ffc145cd0ff205c8d690c		 rtf-objdata-decoded RTF \objdata at offset 0x7DA 65990 bytes
objdata_01_off00006f89.bin
bb6cd5a22c60cb4918dacd8693eb22185a032e038b501a9d993c2ef274a9985e		 rtf-objdata-decoded RTF \objdata at offset 0x6F89 65963 bytes
objdata_02_off0002881c.bin
32e8e449cdc043249ce37c79c9eaf2af80a02cb8175718a8a0ce726d961b7d16		 rtf-objdata-decoded RTF \objdata at offset 0x2881C 2632 bytes
objdata_03_off00029dbf.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x29DBF 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.