Gandcrab — RTF malware analysis

Static analysis result for SHA-256 a7a0812573953325…

MALICIOUS

RTF

806.0 KB First seen: 2019-04-18
MD5: 46ee75481c50503e0146fa52e4ce4312 SHA-1: 74cbe0603907fe0c202beb22349ce0f851bd6e73 SHA-256: a7a0812573953325015c3b4983beb1f813fd1e98eb74bd5591d07e38460a0c49
424 Risk Score

Malware Insights

Gandcrab · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of exploitation targeting Equation Editor, specifically referencing CVE-2017-8570 which is known to drop SCT scripts. ClamAV detections confirm this is Gandcrab ransomware. The embedded OLE object data, particularly at offset 0xC553C, likely contains the malicious script payload.

Heuristics 10

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Win.Ransomware.Gandcrab-6700520-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Ransomware.Gandcrab-6700520-0
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nsis.sf.net/NSIS_Error In RTF body
    • http://ns.adobe.com/xap/1.0/In RTF body
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In RTF body
    • http://ns.adobe.com/xap/1.0/mm/In RTF body
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In RTF body
    • http://ns.adobe.com/xap/1.0/rights/In RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000002f.bin rtf-objdata-decoded RTF \objdata at offset 0x2F 887 bytes
SHA-256: 63c0c8928d7dba416d73c39a7f0eaf44893fd70add55efa5088566e0f4599c0d
objdata_01_off0000078d.bin rtf-objdata-decoded RTF \objdata at offset 0x78D 612 bytes
SHA-256: c62851521e10316dfd43f2b6ee67cc27e2a24456bb346c8fa9dc4a6d6e21d526
objdata_02_off00000c8f.bin rtf-objdata-decoded RTF \objdata at offset 0xC8F 401789 bytes
SHA-256: bf393fa4d073980da0d9ab1eba51a2efa096bd82dcabd559cf6b96b040e420a5
Detection
ClamAV: Win.Ransomware.Gandcrab-6700520-0
Obfuscation or payload: likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
objdata_03_off000c4fc7.bin rtf-objdata-decoded RTF \objdata at offset 0xC4FC7 382 bytes
SHA-256: a6e12921d130c7b67ef4a947fc49a88b8274ff489967d5e1a01f75f39326a1f0
objdata_04_off000c52f7.bin rtf-objdata-decoded RTF \objdata at offset 0xC52F7 789 bytes
SHA-256: 0cbf13d1acbd141eb9f48a47cdaf68def77b851570a5ad952a26f657ff3b6c68
objdata_05_off000c5988.bin rtf-objdata-decoded RTF \objdata at offset 0xC5988 2633 bytes
SHA-256: 1feb5f150bb35566d1a01fc59a357dc0ea34bc7498e0ec99bd939f6f848044b0
objdata_06_off000c6e92.bin rtf-objdata-decoded RTF \objdata at offset 0xC6E92 4675 bytes
SHA-256: f9caf77e9bfb0390eefbd05298b30c1a2021145793d5c1b88eabd50db560ead4