Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f2f01e805c3ae507…

MALICIOUS

RTF / .DOC

233.5 KB First seen: 2022-06-24
MD5: d493f543bd4e59ec7dd6645e834e75d9 SHA-1: 3d1cabf83ce2ea96600ad44cbdf3087f28fa9fdc SHA-256: f2f01e805c3ae5075e314e1c576d036899cea4048cd24a1b2d4bd968a892f8a4
220 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.002 Component Object Model Hijacking T1059.005 Visual Basic

The RTF document contains OLE object data and triggers an objupdate event, indicating an attempt to activate embedded objects. The critical heuristic firing for CVE_2017_8570 confirms the exploitation of this vulnerability, which is known to drop SCT scripts. The document body explicitly prompts the user to 'Enable Editing', a common lure to bypass macro security. The exploitation of CVE-2017-8570 facilitates the execution of a script, likely for further payload delivery.

Heuristics 7

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ba4.bin
9e2f502e31285e2cf25590f15831b09f3327134103160ba6887deeacc0fc7282		 rtf-objdata-decoded RTF \objdata at offset 0xBA4 23124 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
objdata_01_off0000c824.bin
625ba87dad062d63542a2f08013c93a4f9eac2363a88c9240f1688e698b82c02		 rtf-objdata-decoded RTF \objdata at offset 0xC824 2632 bytes
objdata_02_off0000ddc7.bin
142dc43284d9abe994719f8fb67bc4c04bfc3f07528a1a66b0bad7e552ee8e78		 rtf-objdata-decoded RTF \objdata at offset 0xDDC7 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.