Malicious RTF — malware analysis report

Static analysis result for SHA-256 f415487e104efb2d…

MALICIOUS

RTF

1.02 MB
MD5: 35c9dcf7c4a922996d01cd1172e5ee72 SHA-1: f04b7261c7209fbca4a6ca7b64d52b24fb0a0bef SHA-256: f415487e104efb2d80000858f7942cd9db73526601066eca5e63d99a50926298
280 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains multiple indicators of malicious activity, including OLE object data, composite monikers, and an explicit lure to enable editing and macros. The presence of CVE-2017-8570 suggests the file is designed to drop a script, likely for further execution. The document body's message about 'Microsoft Office does not work in email Preview' is a common social engineering tactic to prompt users to open and enable content.

Heuristics 8

  • Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE related CVE_2017_8570
    RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1037KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000966.bin
589e5f8def34a05688b45b988dc55eb40455bbc098a1f0c00e729ecc391b3e00		 rtf-objdata-decoded RTF \objdata at offset 0x966 408276 bytes
objdata_01_off00007115.bin
ee8413e944a90cb58c12cafa5179dbd04dfa41e96fbc87b8d53dba335a7181b3		 rtf-objdata-decoded RTF \objdata at offset 0x7115 408249 bytes
objdata_02_off000d66bc.bin
51ef705eef602ac6eb91c2063c8f50d4e54b5e051b60429031d41133bc7df645		 rtf-objdata-decoded RTF \objdata at offset 0xD66BC 2632 bytes
objdata_03_off000d7c5f.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0xD7C5F 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.