Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7d35d2dc34fb2250…

MALICIOUS

RTF / .DOC

368.4 KB
MD5: a6b2e3c82d54e9f70561edfc55a035f3 SHA-1: 72aa1ab3c9ffb5930701b55dfa248e33c17cd7a3 SHA-256: 7d35d2dc34fb22505657c228734d574a07c2bc3e2ba9812f23638cfffe799e75
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model

The RTF document contains multiple indicators of OLE object manipulation, including ".objdata", ".objemb", ".objautlink", and ".objupdate" control words. The presence of ".objupdate" strongly suggests an attempt to exploit the Equation Editor vulnerability (CVE-2017-8570 or similar), which automatically spawns the vulnerable process upon document opening. The heuristic "SE_ENABLE_LURE" further indicates a social engineering attempt to bypass macro security settings. No specific malware family could be identified, and no external IOCs were extracted.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000965.bin
10fc7a40d5e05117ad220dc7b657c851a4ebe7bbfd621a56d6c3fdc91b35010b		 rtf-objdata-decoded RTF \objdata at offset 0x965 76400 bytes
objdata_01_off00007114.bin
c5b9f58a964116c151c4e0fbc214ec47d0d06f6d4f2ea996b1c9c498bffd5ff4		 rtf-objdata-decoded RTF \objdata at offset 0x7114 76373 bytes
objdata_02_off0002de3d.bin
a8e170497da15decc11753d202c99c86f7a7ffd2d52481e6b9c79a5403675379		 rtf-objdata-decoded RTF \objdata at offset 0x2DE3D 2632 bytes
objdata_03_off0002f3e0.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x2F3E0 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.