MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains OLE object data that exploits CVE-2017-8570 via a composite moniker. This vulnerability is known to drop and execute a script, which is a common initial step for malware. The document body appears to be a legitimate contract amendment, suggesting a lure to entice the user to open the malicious RTF file.
Heuristics 4
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000017be.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x17BE | 4146 bytes |
SHA-256: a2f97a2d69a894e25a387b92b6e568a8b3262fe373ee3e76c44a86dec03eaa4f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.