Malicious RTF — malware analysis report

Static analysis result for SHA-256 bb0d2de8ccc860b7…

MALICIOUS

RTF

340.8 KB First seen: 2021-10-14
MD5: ea7e6a990c531f423a8aa7b3a81bcf80 SHA-1: 5acdc9a7b95416da31094423ad1963fa5dd41bee SHA-256: bb0d2de8ccc860b7bc33ad6c8e3ee03a0a8e3b95850a146a32d49e70ab1b8f4e
220 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of OLE object manipulation, specifically related to composite monikers and automatic updates. The critical heuristic firing for CVE-2017-8570 indicates that the file is designed to exploit this vulnerability, which typically involves dropping and executing a script. This exploit is commonly delivered via spearphishing attachments.

Heuristics 6

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007de.bin rtf-objdata-decoded RTF \objdata at offset 0x7DE 75728 bytes
SHA-256: 51c8a38cf8254867e800542d8dfa9954ef7d9e208b2a0d9b741b613fafbbdab0
objdata_01_off00026fc9.bin rtf-objdata-decoded RTF \objdata at offset 0x26FC9 2632 bytes
SHA-256: f4c761490fd63fc4aa791746a9a2b588dafd9e2c764f57f0c85377b99ef07062
objdata_02_off0002856c.bin rtf-objdata-decoded RTF \objdata at offset 0x2856C 12297 bytes
SHA-256: 44deae4627fee3c44f54d5bd10477ec2e17f4c08135f08e2417832e36d10d037

Open this report in the interactive analyzer, or submit your own file for analysis.