MALICIOUS
402
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains OLE object data with a Composite Moniker, indicating exploitation of CVE-2017-8570. This vulnerability is known to drop SCT scripts, which are then executed. The presence of a PE header within the hex data further suggests the embedded object is a Windows executable payload. The extracted artifact objdata_05_off0002a4ef.bin likely contains this payload.
Heuristics 9
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Win.Malware.Filerepmalware-6709941-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Filerepmalware-6709941-0
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1349KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 6 \objdata section(s) — embedded OLE objects
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00018657.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18657 | 873 bytes |
SHA-256: c481ae32e55cd5aed2c08c2e2d44fffd4c3c894b98dd0aadef7fe1bcc1714b99 |
|||
objdata_01_off00018d62.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18D62 | 31676 bytes |
SHA-256: 8e1be3feb782a829ff258a0e054e4c260ab6864e307e975e6874709ef91bf7cf |
|||
objdata_02_off00028512.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28512 | 487 bytes |
SHA-256: fbdc08917d7c4e786f601c1fc37cd61fc0fa1fdd4c6590c37bf66bf37ded9f73 |
|||
objdata_03_off0002891c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2891C | 833 bytes |
SHA-256: a57103bc84a2998af640e20eec949b44c7cbeb12765e1e7ce6b5161436b0b531 |
|||
objdata_04_off0002900f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2900F | 2633 bytes |
SHA-256: 1feb5f150bb35566d1a01fc59a357dc0ea34bc7498e0ec99bd939f6f848044b0 |
|||
objdata_05_off0002a4ef.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A4EF | 588492 bytes |
SHA-256: 75e721eb59d0e02bbc287107125e01177aaf07be242abd943c7ca4673e971a99 |
|||
|
Detection
ClamAV:
Win.Malware.Filerepmalware-6709941-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.