Malicious RTF — malware analysis report

Static analysis result for SHA-256 823fa05a348d91f6…

MALICIOUS

RTF

720.9 KB Authoring application: LibreOffice/7.1.2.2$Linux_X86_64 LibreOffice_project/8a45595d069ef5570103caea1b71cc9d82b2aae4
MD5: f28ef3e66d7a8459f8ab38f4aa56f5cf SHA-1: 35d7cf1efe99f9875fb332f3b576525c3172ae81 SHA-256: 823fa05a348d91f66ee9c38d815a79ff07b2b5757ea8a5fea4db43f017deb906
220 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains multiple indicators of malicious OLE object embedding, specifically related to CVE-2017-8570. This vulnerability allows for the dropping of a script, which is then likely executed to perform further malicious actions. The presence of composite monikers and objdata sections strongly suggests an exploit attempt.

Heuristics 6

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000f3e9.bin
aa4234721ed8218a533443295b758d2ef192cc235ce308dd56e8b087a3418d9a		 rtf-objdata-decoded RTF \objdata at offset 0xF3E9 221081 bytes
objdata_01_off00015b98.bin
06cac6cb386a6c3c002c08d4dce06f137a28b04af5da0ed3842b3b002eff0bd0		 rtf-objdata-decoded RTF \objdata at offset 0x15B98 221054 bytes
objdata_02_off00086049.bin
51ef705eef602ac6eb91c2063c8f50d4e54b5e051b60429031d41133bc7df645		 rtf-objdata-decoded RTF \objdata at offset 0x86049 2632 bytes
objdata_03_off000875ec.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x875EC 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.