Win.Dropper.DarkKomet-9262651-0 RTF malware analysis — malicious · af6438f9efeb35a7

MALICIOUS

RTF

2.74 MB Created: 2018-05-21 15:22:00 First seen: 2019-08-04

MD5: 0ffa130722d25707a51fcff317e20da9 SHA-1: 62b8c8d412e264adf3aee592e8d758529f1bc9ee SHA-256: af6438f9efeb35a7ef90591c5d8be8b047bd5ad1bb9da7bb8a744a91047773df

502 Risk Score

Malware Insights

Win.Dropper.DarkKomet-9262651-0 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple indicators of malicious activity, including OLE object data, embedded OLE objects, and excessive hex data within OLE objects. Critical heuristics identify the exploitation of CVE-2017-8759 and ClamAV detections point to the DarkKomet dropper family. The embedded OLE objects likely contain and execute a second-stage payload.

Heuristics 12

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
ClamAV: Win.Dropper.Generickdz-7440146-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Generickdz-7440146-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~2603KB of hex-encoded data inside \objdata sections — may hide a payload
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002a8a.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2A8A	1301505 bytes
SHA-256: `c988543ca9372559dd05bff9df8794157b60df70848c30972ead02764997fd47`
Detection ClamAV: Win.Dropper.Generickdz-7440146-0 Obfuscation or payload: unlikely
`objdata_01_off00299061.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x299061	23598 bytes
SHA-256: `9d6812245bb9a9acb8a063c32175f2d2d79fdda37feb88384d730b4323f75b05`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS Static shellcode analysis recovered command string(s): cmd.exe /c %tmp%\A.X %

Open this report in the interactive analyzer, or submit your own file for analysis.