Malicious RTF — malware analysis report

Static analysis result for SHA-256 b5b5a9d7a8602bdc…

MALICIOUS

RTF

1.59 MB First seen: 2019-08-04
MD5: f4a0dc9927bfc3599b7a6eef4ffaf9e0 SHA-1: 24aa66dc8e982beb44a885824308814fbcc805b3 SHA-256: b5b5a9d7a8602bdc620838399ea40b9a19dc967d015367941ffce888e235cf92
464 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of exploitation, including the use of a Composite Moniker and Equation Editor CLSID, strongly suggesting the exploitation of CVE-2017-8570. This vulnerability is known to drop and execute a script, likely leading to the execution of a second-stage payload. The presence of large amounts of hex-encoded data within OLE objects further supports the hiding of a malicious payload.

Heuristics 11

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Win.Malware.Coins-9985675-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Coins-9985675-0
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1433KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nsis.sf.net/NSIS_Error In RTF body
    • http://schemas.microsoft.com/SMI/2005/WindowsSettingsIn RTF body
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn RTF body
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn RTF body
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000031.bin rtf-objdata-decoded RTF \objdata at offset 0x31 716762 bytes
SHA-256: a3c8276f30ca5e0906aa3bb1a0c220cfc0ba566f964ab0f8062ddebbfdccf289
Detection
ClamAV: Win.Malware.Coins-9985675-0
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
objdata_01_off00162a1d.bin rtf-objdata-decoded RTF \objdata at offset 0x162A1D 100044 bytes
SHA-256: 2ebd21766daef37fce64b8a10b6642481ac67d2583f6c14a0ccf856fef16ce39
objdata_02_off001937ed.bin rtf-objdata-decoded RTF \objdata at offset 0x1937ED 462 bytes
SHA-256: 1fc984b84321e6a82ecaf923edd7fcaabe8ab7934f072eb0370458c42b90210d
objdata_03_off00193bc5.bin rtf-objdata-decoded RTF \objdata at offset 0x193BC5 877 bytes
SHA-256: 76f3e5239d2c790a4fec1d75e41e3216cf3d21a28661c8e5153da071db1826f7
objdata_04_off0019431d.bin rtf-objdata-decoded RTF \objdata at offset 0x19431D 2247 bytes
SHA-256: 992c836552ac8953ea96f98fe3fdf2f015904931030078610b1ec4c608451d62
objdata_05_off00195541.bin rtf-objdata-decoded RTF \objdata at offset 0x195541 4679 bytes
SHA-256: a031167f29c59aa6f60f009231ba4b3342834ba008154b405252e98bc2ed362a

Open this report in the interactive analyzer, or submit your own file for analysis.