Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 96655a703439349b…

MALICIOUS

Office (OOXML) / .DOCX

568.2 KB Created: 2025-10-12 19:04:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: e79936b79db160c60fd36dd011ecc31b SHA-1: c6b70e9c121d7ef1660491314fd42c7ebc3b95f6 SHA-256: 96655a703439349b5d0acece198677a81f70ac74cc9245e251213a1d6fdf3dcb
340 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The OOXML document utilizes an altChunk to import an RTF object, which in turn contains a PE executable. The RTF object is configured to auto-update, triggering the execution of the embedded PE file when the document is opened. This technique is commonly used to deliver second-stage payloads.

Heuristics 9

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    (in altChunk RTF word/Gatsby.rtf) RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • altChunk imports embedded RTF (RTF injection) critical OOXML_ALTCHUNK_RTF
    Document inlines an embedded RTF via an aFChunk relationship and a <w:altChunk> body element. This is the canonical RTF-injection wrapper used to smuggle RTF exploits (Equation Editor / URL Moniker / objdata) past DOCX-only scanners. Word opens the wrapper and executes the RTF inline. Recursing into the RTF for the exact exploit primitive.
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    (in altChunk RTF word/Gatsby.rtf) Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • altChunk RTF auto-updates embedded executable object critical OOXML_ALTCHUNK_RTF_AUTOUPDATE_PE
    OOXML document imports an embedded RTF through altChunk; the RTF contains OLE object data, forces object update, and carries a hex-encoded PE payload. This is a stronger compound exploit-loader shape than a generic altChunk RTF wrapper, but it is not tied to a single CVE unless the nested RTF object primitive also matches one.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    (in altChunk RTF word/Gatsby.rtf) RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    (in altChunk RTF word/Gatsby.rtf) RTF contains ~1734KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    (in altChunk RTF word/Gatsby.rtf) RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    (in altChunk RTF word/Gatsby.rtf) RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0007660e.bin
099ccfdec81cc8363bcc36d714ef707221996ef4aca5432293b01e7e8daa0e4b		 rtf-objdata-decoded RTF \objdata at offset 0x7660E 880362 bytes
objdata_01_off0022fc14.bin
0631cd2b16ce0c99cc02cbd612de1caa4c1ee5ccc6538b4e6a86824d0cd5b585		 rtf-objdata-decoded RTF \objdata at offset 0x22FC14 584266 bytes
rtf_svb_00434246.zip
a463062fa4912b21a38e780ed3e90eaa5c5b691e2da561ae5b20c5c201fb80f6		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x434246 963 bytes
rtf_svb_004356f1.zip
1db5fafdb39a4e25cd63c0d17ee124d74679ca9fa60ca30d59caa7391aab0069		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x4356F1 964 bytes
rtf_svb_0046dbc0.zip
53fff4488b7672eecc77c890505a45d3ecfc7a7654d7482c0a7d5b59e04ea302		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x46DBC0 964 bytes
rtf_svb_0046e681.zip
9ecd25189a3c8807fe971db700117c1a62080407d92f2c0908b5116a2280b903		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x46E681 964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.