Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d5636cadf6de18e4…

MALICIOUS

RTF / .DOC

346.9 KB
MD5: 705fb236e9ffcbb19699b0dd094398fe SHA-1: 78783d2267a04f00b624d59e397bfb104ea43a56 SHA-256: d5636cadf6de18e49413a76c67d24d3572bccecc62bfccd7d52ec180d53abbc5
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model

The RTF file contains multiple embedded OLE objects, with high-confidence heuristics indicating automatic linking and update triggers. This suggests the file is designed to exploit OLE object activation to execute arbitrary code when opened. No specific malware family could be identified from the available evidence.

Heuristics 5

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007da.bin
39b00505a705704786ee5429babfce561bda1a4332968c31d8463edd9beecd49		 rtf-objdata-decoded RTF \objdata at offset 0x7DA 65990 bytes
objdata_01_off00006f89.bin
2adf4ea78d48e8d2bce8726b21b9d6151fb9293d6b3e66298fb3b265cc035142		 rtf-objdata-decoded RTF \objdata at offset 0x6F89 65963 bytes
objdata_02_off0002881c.bin
32e8e449cdc043249ce37c79c9eaf2af80a02cb8175718a8a0ce726d961b7d16		 rtf-objdata-decoded RTF \objdata at offset 0x2881C 2632 bytes
objdata_03_off00029dbf.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x29DBF 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.