Win.Dropper.Nanocore-10019727-0 — RTF malware analysis

Static analysis result for SHA-256 9ab8727f31d9bf41…

MALICIOUS

RTF

1.48 MB First seen: 2019-05-31
MD5: 9003b38052b740f8ffb066168ec70de1 SHA-1: 88c6c6cce377ff29d57e74c457ae800829549fdf SHA-256: 9ab8727f31d9bf41bd158f8815d2aa6d1de3fa31c69be565605fe891c9db14a1
482 Risk Score

Malware Insights

Win.Dropper.Nanocore-10019727-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of exploitation, including the use of Equation Editor with OLE object data and remote URL inclusion. The presence of a PE header within hex data and ClamAV detection as Win.Dropper.Nanocore-10019727-0 strongly suggests it's a dropper. The embedded URL is likely used to download and execute a secondary payload.

Heuristics 11

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Win.Dropper.Nanocore-10019727-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Nanocore-10019727-0
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1527KB of hex-encoded data inside \objdata sections — may hide a payload
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://test1.ru/newbuild/t.php?thread=0&stats=send In RTF body
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000af28.bin rtf-objdata-decoded RTF \objdata at offset 0xAF28 26316 bytes
SHA-256: 15874e48be01b3e412f7fd44b2fd10812d7359db07e7616b003b703da8ddd14d
objdata_01_off00017cfa.bin rtf-objdata-decoded RTF \objdata at offset 0x17CFA 715450 bytes
SHA-256: 216e74adcbb0655af1c5f7073d6912e335a8be64409f25450e34a8431fe6aadb
Detection
ClamAV: Win.Dropper.Nanocore-10019727-0
Obfuscation or payload: unlikely
objdata_02_off001752b3.bin rtf-objdata-decoded RTF \objdata at offset 0x1752B3 313 bytes
SHA-256: 814f5c2e9bfcf682c813e1bfb2a48e01bf6ed86d3f56303cd396fe70fe1ee747
objdata_03_off00175561.bin rtf-objdata-decoded RTF \objdata at offset 0x175561 597 bytes
SHA-256: fbe8a78c2ba5cba02b3557c3b189db8b3462b4fdbba1cc324eb43157f7b032e9
objdata_04_off00175a49.bin rtf-objdata-decoded RTF \objdata at offset 0x175A49 797 bytes
SHA-256: 8886ba32e0020ec369266fd849c73acf5cecb8ce163136789d01d19dc707e21c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript" & "" & rab & "ll" & "")
objdata_05_off00176114.bin rtf-objdata-decoded RTF \objdata at offset 0x176114 2620 bytes
SHA-256: 87855113644679e6d8e440ba6388568b88854a7ec79a71d9e821323f36f07d17
objdata_06_off0017771d.bin rtf-objdata-decoded RTF \objdata at offset 0x17771D 4681 bytes
SHA-256: 75bdf0d3e6198ce8609d72f965634443d1596df6ed427f655b94bb1d92e195e5

Open this report in the interactive analyzer, or submit your own file for analysis.