Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b47ce41e9447fb8c…

MALICIOUS

RTF / .DOC

232.9 KB First seen: 2022-06-17
MD5: 2dc8f9be4d78ca956bba5ebb96589465 SHA-1: 87a14713d1e702c7209cb1e627fb71347b8f8f3a SHA-256: b47ce41e9447fb8cbb74db99c963f42c2ae22eb51ad9fadcf241f14e68012a15
220 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains OLE objects and triggers CVE-2017-8570, which is known to drop SCT scripts. The document body explicitly instructs the user to 'click Enable Editing when opening' to bypass security warnings. This suggests the document is designed as a lure to execute embedded malicious content, likely an SCT script, which would then proceed with further malicious actions.

Heuristics 7

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000095d.bin
76f44dd0a0c4d6160702a445c215ca7fcd3bb5dc205e1998f3027a33d8ffa7b1		 rtf-objdata-decoded RTF \objdata at offset 0x95D 23104 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
objdata_01_off0000c5b3.bin
acfe22ea9e4ff240389575cbfc30c4442fd35fc5f8c4bda2b30eb5c2cf4c1cf0		 rtf-objdata-decoded RTF \objdata at offset 0xC5B3 2632 bytes
objdata_02_off0000db56.bin
142dc43284d9abe994719f8fb67bc4c04bfc3f07528a1a66b0bad7e552ee8e78		 rtf-objdata-decoded RTF \objdata at offset 0xDB56 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.