Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7fd0d5d4d28ae153…

MALICIOUS

RTF / .DOC

241.5 KB
MD5: 8d2c39a1c65d1d9d1c43b341c18cd555 SHA-1: f90076599865645ff9434998d71d37569371cc80 SHA-256: 7fd0d5d4d28ae153760ff1db3f21d11957a7967f6d6539d2781bab47a4a5f1d5
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The RTF document contains multiple OLE objects, including an automatically linked object that is forced to update. This technique is commonly used to bypass macro security and execute embedded malicious content. The heuristic 'SE_ENABLE_LURE' further suggests the document attempts to trick the user into enabling content. No specific scripts or URLs were extracted, but the OLE object activation is the primary attack vector.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000969.bin
4b1f73dd90984dd57db6e1ae092c994613d558a58185f3954560a685bfc1a52a		 rtf-objdata-decoded RTF \objdata at offset 0x969 26658 bytes
objdata_01_off0000e2a2.bin
9d9bc825f2fa5e0ed8db7dce6823e199ad9c775873472d42887214589f205470		 rtf-objdata-decoded RTF \objdata at offset 0xE2A2 2632 bytes
objdata_02_off0000f845.bin
44deae4627fee3c44f54d5bd10477ec2e17f4c08135f08e2417832e36d10d037		 rtf-objdata-decoded RTF \objdata at offset 0xF845 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.