Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ff381561194eae8d…

MALICIOUS

RTF / .DOC

295.5 KB
MD5: 56031cae7ff0acf6da4b77070c607774 SHA-1: c9f9047e53d83becc7c6076c899a703f1e6e1a76 SHA-256: ff381561194eae8d503307490082530d0b452297e33610d219d6a116814b6447
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 User Execution: Malicious File T1566.001 Phishing: Spearphishing Attachment

The RTF document contains multiple OLE object data sections and uses automatic linking and update triggers, indicating an attempt to embed and execute external content. The document body explicitly instructs the user to 'download the document and click Enable Editing', a clear lure to bypass macro security. This suggests the file is a dropper designed to execute malicious code upon user interaction.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000096e.bin
b86285cf85473033421eaa6ac087d29112ec12423be5d63b0ca2c2879af6766e		 rtf-objdata-decoded RTF \objdata at offset 0x96E 40496 bytes
objdata_01_off0000711d.bin
1e288fdbcba32bcb5b32713c99f4737bfb6bce263f9838697249840249cb94de		 rtf-objdata-decoded RTF \objdata at offset 0x711D 40469 bytes
objdata_02_off0001ba8e.bin
3cd3b7d42e5855c90d6d11c54ef2670ed8970441480cc23f7d39ef08fa1c935b		 rtf-objdata-decoded RTF \objdata at offset 0x1BA8E 2632 bytes
objdata_03_off0001d031.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x1D031 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.