Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9acb67b48bc0be01…

MALICIOUS

RTF / .DOC

218.2 KB
MD5: 7cfb79c8e0e184220bb0b97ec0df0ba4 SHA-1: f65ad85e9c862d6f09f2c8299c29aee3ec0babd5 SHA-256: 9acb67b48bc0be01c38e54667431deeb1e0a457d8f3e65fb73101452f17930f3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains multiple embedded OLE objects, with one specifically triggered by \objupdate, indicating an attempt to execute code upon opening. The document body contains a "Please click Enable Editing to view the document." lure, a common tactic to bypass macro security. The embedded artifacts are likely the payload or components thereof.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ba2.bin
0537f8ff46a685f5c8559a993d50523680d4e11f10a8dafcf022e8a0fb8b894e		 rtf-objdata-decoded RTF \objdata at offset 0xBA2 15570 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
objdata_01_off00008ac2.bin
893d8db8585190a273d0c7c3dcff2eb58184b866a3687a9319ca72a8284876cb		 rtf-objdata-decoded RTF \objdata at offset 0x8AC2 2632 bytes
objdata_02_off0000a065.bin
44deae4627fee3c44f54d5bd10477ec2e17f4c08135f08e2417832e36d10d037		 rtf-objdata-decoded RTF \objdata at offset 0xA065 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.