Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8ac32b7faa79aabd…

MALICIOUS

RTF / .DOC

295.5 KB
MD5: 452e11d23c80550a45b6a498bac85733 SHA-1: 1b1355594eecbfad9803e771bedefedf96ecceee SHA-256: 8ac32b7faa79aabd51156f6503e624a53ee5d355d602784273376ad45e7dbdbf
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains multiple OLE object embeddings and auto-linking, with an explicit instruction to 'Enable Editing'. This strongly suggests a lure to bypass macro security settings and execute embedded malicious content. The document body's garbled text and the 'Microsoft Office does not work in email Preview' message are consistent with a social engineering tactic to trick users into opening the file and enabling macros. No specific family could be identified, but the technique is common for macro-based downloaders.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000096e.bin
b600c83caba658e48b700b42452354b502d5b9403da22e82e8272dbd9e2b026c		 rtf-objdata-decoded RTF \objdata at offset 0x96E 40496 bytes
objdata_01_off0000711d.bin
b3ba4afc247224262757161bba6cd77f5979d9a488a97b22ae283ced1a9043c5		 rtf-objdata-decoded RTF \objdata at offset 0x711D 40469 bytes
objdata_02_off0001ba8e.bin
3cd3b7d42e5855c90d6d11c54ef2670ed8970441480cc23f7d39ef08fa1c935b		 rtf-objdata-decoded RTF \objdata at offset 0x1BA8E 2632 bytes
objdata_03_off0001d031.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x1D031 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.