Malicious RTF — malware analysis report

Static analysis result for SHA-256 e9339747b31f576e…

MALICIOUS

RTF

2.07 MB Created: 2016-12-27 11:42:00 First seen: 2017-11-20
MD5: 025b6fb24dc9dc6c93aeaf6e5baec2aa SHA-1: 88357af86c5984cca1b34150e7be08d5db58be03 SHA-256: e9339747b31f576e6d4049696a4f4bd7053bcd29dafb0a7f2e55b8aab1539b67
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an automatically linked OLE object, indicating it attempts to leverage external resources. The critical finding of CVE-2017-0199 confirms the exploitation of a remote URL moniker to download a secondary payload, likely disguised as 'Doc1.jpg'. This technique is commonly used to deliver further malicious content.

Heuristics 6

  • CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199
    RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~2125KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
    • http://d218w8g44zaxak.cloudfront.net/Doc1.jpgIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003353.bin rtf-objdata-decoded RTF \objdata at offset 0x3353 5932 bytes
SHA-256: 89640dfc8e9002288377f8d87496e67ea1482789528e87752f71b191e157eea7

Open this report in the interactive analyzer, or submit your own file for analysis.