Gandcrab — RTF malware analysis

Static analysis result for SHA-256 cafde3870cfd16d6…

MALICIOUS

RTF

804.9 KB First seen: 2019-05-16
MD5: 7cd239fc010b4c135dce6a25d1e6f207 SHA-1: 0c834924b36a5c7ec008c2333a9d5b03f03882f9 SHA-256: cafde3870cfd16d6bfcb84469e06b92282ff8bb42d660298f2f29e34cdd5e55b
424 Risk Score

Malware Insights

Gandcrab · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of exploitation targeting Equation Editor, specifically referencing CVE-2017-8570 which is known to drop SCT scripts. ClamAV detections confirm this is Gandcrab ransomware. The embedded OLE object data, particularly at offset 0xC553C, likely contains the malicious script payload.

Heuristics 10

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Win.Ransomware.Gandcrab-6700520-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Ransomware.Gandcrab-6700520-0
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nsis.sf.net/NSIS_Error In RTF body
    • http://ns.adobe.com/xap/1.0/In RTF body
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In RTF body
    • http://ns.adobe.com/xap/1.0/mm/In RTF body
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In RTF body
    • http://ns.adobe.com/xap/1.0/rights/In RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000002f.bin rtf-objdata-decoded RTF \objdata at offset 0x2F 887 bytes
SHA-256: 63c0c8928d7dba416d73c39a7f0eaf44893fd70add55efa5088566e0f4599c0d
objdata_01_off0000078d.bin rtf-objdata-decoded RTF \objdata at offset 0x78D 612 bytes
SHA-256: c62851521e10316dfd43f2b6ee67cc27e2a24456bb346c8fa9dc4a6d6e21d526
objdata_02_off00000c8f.bin rtf-objdata-decoded RTF \objdata at offset 0xC8F 401239 bytes
SHA-256: 20876d0003b6e06d87d83d2610ef25ccac520e58379a9eee90c579faed943f7f
Detection
ClamAV: Win.Ransomware.Gandcrab-6700520-0
Obfuscation or payload: likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
objdata_03_off000c4b7b.bin rtf-objdata-decoded RTF \objdata at offset 0xC4B7B 382 bytes
SHA-256: a6e12921d130c7b67ef4a947fc49a88b8274ff489967d5e1a01f75f39326a1f0
objdata_04_off000c4eab.bin rtf-objdata-decoded RTF \objdata at offset 0xC4EAB 789 bytes
SHA-256: 0cbf13d1acbd141eb9f48a47cdaf68def77b851570a5ad952a26f657ff3b6c68
objdata_05_off000c553c.bin rtf-objdata-decoded RTF \objdata at offset 0xC553C 2633 bytes
SHA-256: 1feb5f150bb35566d1a01fc59a357dc0ea34bc7498e0ec99bd939f6f848044b0
objdata_06_off000c6a46.bin rtf-objdata-decoded RTF \objdata at offset 0xC6A46 4675 bytes
SHA-256: f9caf77e9bfb0390eefbd05298b30c1a2021145793d5c1b88eabd50db560ead4

Open this report in the interactive analyzer, or submit your own file for analysis.