Malicious RTF — malware analysis report

Static analysis result for SHA-256 808f3eab9ab519fa…

MALICIOUS

RTF

97.3 KB Created: 2022-07-14 13:37:00 First seen: 2022-07-15
MD5: d0e8c8994d4ca0c3c5d81a516b726d9d SHA-1: b8cd13cccc024eb103d249c5331966a7591ade90 SHA-256: 808f3eab9ab519fa8dda92f64e1dc04a086afbf38be31c59a37fecbae0a56e93
242 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File T1059 Command and Scripting Interpreter

The RTF file contains embedded OLE objects, specifically triggering the CVE-2017-8570 heuristic which indicates the dropping of an SCT script. This exploit is commonly used to deliver malicious payloads. The presence of composite monikers and automatically linked OLE objects further supports the exploitation of this vulnerability.

Heuristics 8

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000270a.bin
d43f88f820ff6f5df63eb22aeb36d776483755976f4557755aff1bd0b99eb2a7		 rtf-objdata-decoded RTF \objdata at offset 0x270A 25924 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
objdata_01_off0000f4ba.bin
79c9830c0d56f4f845f17d9093926aa3dba1a4cc58ec46f44cf65c3daecc1c32		 rtf-objdata-decoded RTF \objdata at offset 0xF4BA 7872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.