Malicious RTF — malware analysis report

Static analysis result for SHA-256 c16cdce72822bd40…

MALICIOUS

RTF

830.1 KB Created: 2023-01-06 09:23:00 Authoring application: Aspose.Words for .NET 19.11 First seen: 2024-06-24
MD5: 7a26f14a61caddf7dc86c3c206bdd3ed SHA-1: d6bcbc0eb29ac7dd9f82b4cef3b52ffb8b61bfcf SHA-256: c16cdce72822bd40a5769811c36768147a3090438b1511fa01c68f7c51bd65c6
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE object data sections and uses \objupdate to force OLE activation, indicating an attempt to exploit OLE vulnerabilities. A heap-spray pattern was also detected, suggesting memory corruption for code execution. The file's SHA256 hash is provided as a primary IOC.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002b90.bin
e95efbf097064957a536a3a1cd0d0087e054fca7889fe950afcdb26ac8e95de1		 rtf-objdata-decoded RTF \objdata at offset 0x2B90 409128 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
objdata_01_off000cacd7.bin
e3c987ff0c4e3b56b20b02d26375cc633274b1581473fb0064a7a343dbdc26f0		 rtf-objdata-decoded RTF \objdata at offset 0xCACD7 8896 bytes
objdata_02_off000cacf1.bin
21afad432e6c488411043028da3ebc00044f94b5a10eabe6641bbe6f8c98a982		 rtf-objdata-decoded RTF \objdata at offset 0xCACF1 8892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.