RTF malware analysis — malicious · fbf320bae8b20dc5

MALICIOUS

RTF

2.46 MB Authoring application: Msftedit 5.41.15.1515

MD5: 0ad1fc8472417d0adb04f53c8f94b246 SHA-1: 7a1da2ee0a7e2795556b3344b32b5d143c755f99 SHA-256: fbf320bae8b20dc5fb2ef4ba8dbc167ef90fb9b3d78ec4b4fe48ed50bcabd181

220 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1059.001 PowerShell

The RTF document contains a large amount of hex-encoded data within an OLE object, which is indicative of a hidden payload. The presence of a PE header within this hex data further supports this. The document body contains text suggesting a user interaction, likely clicking a link. This points to a delivery mechanism designed to trick the user into executing a malicious file.

Heuristics 6

Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~2428KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d3.bin` `795bc2d5beee5df6c0bf8a8954931f6571f3059411d1764858f3fc437b15e292`	rtf-objdata-decoded	RTF \objdata at offset 0xD3	1183737 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.