MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
T1137.003 Libtool Dynamic Library Modification
The RTF document contains multiple OLE objects, including automatically linked and updated objects, which are designed to activate embedded content. The presence of a 'Macro/content-enable lure' heuristic indicates the document likely instructs the user to enable macros or editing to bypass security measures. This suggests the file is a dropper intended to download and execute a second-stage payload upon user interaction.
Heuristics 9
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical RTF_OLE2LINK_REMOTE_MONIKER_LOADERRTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage — through an INCLUDETEXT/INCLUDEPICTURE field or the OLE object's own moniker. This is the OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000969.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x969 | 26658 bytes |
SHA-256: d02955434f88e0190958513351ffebd18856b4e92a81f958951cd5fcebb70d8a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell"")")
|
|||
objdata_01_off0000e2a2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE2A2 | 2632 bytes |
SHA-256: 9d9bc825f2fa5e0ed8db7dce6823e199ad9c775873472d42887214589f205470 |
|||
objdata_02_off0000f845.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF845 | 12297 bytes |
SHA-256: 44deae4627fee3c44f54d5bd10477ec2e17f4c08135f08e2417832e36d10d037 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.