Malicious RTF — malware analysis report

Static analysis result for SHA-256 01a657f240c80d72…

MALICIOUS

RTF

900.2 KB Created: 1996-06-17 15:24:00 First seen: 2021-07-07
MD5: 5fb345223197fc396857c6af9a09ed25 SHA-1: 087cd9b8855b0a476bd00cb59e3eada2a36d4db4 SHA-256: 01a657f240c80d72cebc376306cdafea51f849e60b81d23a4f7a87911f357d7b
422 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects and references to Windows APIs such as URLDownloadToFile, CreateProcess, and ShellExecute, strongly suggesting it is designed to download and execute a secondary payload. The document body discusses financial connectivity, which is likely a lure to disguise the malicious intent. The presence of these API calls and embedded objects points towards a downloader or dropper malware.

Heuristics 12

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    00025F8B  e800000000        call 0x25f90
00025F90  58                pop eax
00025F91  8945f4            mov dword ptr [ebp - 0xc], eax
00025F94  8b45f8            mov eax, dword ptr [ebp - 8]
00025F97  3b45f0            cmp eax, dword ptr [ebp - 0x10]
00025F9A  7431              je 0x25fcd
00025F9C  8b45f8            mov eax, dword ptr [ebp - 8]
00025F9F  8945fc            mov dword ptr [ebp - 4], eax
00025FA2  8b45fc            mov eax, dword ptr [ebp - 4]
00025FA5  8b4df4            mov ecx, dword ptr [ebp - 0xc]
00025FA8  3b4818            cmp ecx, dword ptr [eax + 0x18]
00025FAB  7616              jbe 0x25fc3
00025FAD  8b45fc            mov eax, dword ptr [ebp - 4]
00025FB0  8b4018            mov eax, dword ptr [eax + 0x18]
00025FB3  8b4dfc            mov ecx, dword ptr [ebp - 4]
00025FB6  034120            add eax, dword ptr [ecx + 0x20]
00025FB9  3945f4            cmp dword ptr [ebp - 0xc], eax
00025FBC  7305              jae 0x25fc3
00025FBE  8b45fc            mov eax, dword ptr [ebp - 4]
00025FC1  eb0c              jmp 0x25fcf
00025FC3  8b45f8            mov eax, dword ptr [ebp - 8]
00025FC6  8b00              mov eax, dword ptr [eax]
00025FC8  8945f8            mov dword ptr [ebp - 8], eax
00025FCB  ebc7              jmp 0x25f94
00025FCD  33c0              xor eax, eax
00025FCF  c9                leave
00025FD0  c3                ret
00025FD1  55                push ebp
00025FD2  8bec              mov ebp, esp
00025FD4  83ec18            sub esp, 0x18
00025FD7  8365ec00          and dword ptr [ebp - 0x14], 0
00025FDB  e800000000        call 0x25fe0
00025FE0  58                pop eax
00025FE1  8945ec            mov dword ptr [ebp - 0x14], eax
00025FE4  8365e800          and dword ptr [ebp - 0x18], 0
00025FE8  8b45ec            mov eax, dword ptr [ebp - 0x14]
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00025EC9  64a130000000      mov eax, dword ptr fs:[0x30]
00025ECF  8945f4            mov dword ptr [ebp - 0xc], eax
00025ED2  ff75f4            push dword ptr [ebp - 0xc]
00025ED5  e884000000        call 0x25f5e
00025EDA  59                pop ecx
00025EDB  8945fc            mov dword ptr [ebp - 4], eax
00025EDE  837dfc00          cmp dword ptr [ebp - 4], 0
00025EE2  7456              je 0x25f3a
00025EE4  8b45fc            mov eax, dword ptr [ebp - 4]
00025EE7  8b4018            mov eax, dword ptr [eax + 0x18]
00025EEA  8b4dfc            mov ecx, dword ptr [ebp - 4]
00025EED  8b4918            mov ecx, dword ptr [ecx + 0x18]
00025EF0  03483c            add ecx, dword ptr [eax + 0x3c]
00025EF3  894df0            mov dword ptr [ebp - 0x10], ecx
00025EF6  8b45f0            mov eax, dword ptr [ebp - 0x10]
00025EF9  83c004            add eax, 4
00025EFC  8945ec            mov dword ptr [ebp - 0x14], eax
00025EFF  8b45ec            mov eax, dword ptr [ebp - 0x14]
00025F02  83c014            add eax, 0x14
00025F05  8945f8            mov dword ptr [ebp - 8], eax
00025F08  8b4508            mov eax, dword ptr [ebp + 8]
00025F0B  8b4d08            mov ecx, dword ptr [ebp + 8]
00025F0E  8b400d            mov eax, dword ptr [eax + 0xd]
00025F11  0faf4109          imul eax, dword ptr [ecx + 9]
00025F15  8945e4            mov dword ptr [ebp - 0x1c], eax
00025F18  8b45fc            mov eax, dword ptr [ebp - 4]
00025F1B  8b4018            mov eax, dword ptr [eax + 0x18]
00025F1E  8b4df8            mov ecx, dword ptr [ebp - 8]
00025F21  034114            add eax, dword ptr [ecx + 0x14]
00025F24  8b4df8            mov ecx, dword ptr [ebp - 8]
00025F27  03                .byte 0x03
00025F28  41                inc ecx
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com/industry/bank/online.htm In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00013102.bin rtf-objdata-decoded RTF \objdata at offset 0x13102 37989 bytes
SHA-256: 2197ed909883ce67f348c5c90a50008f39fb8681c0057bfbc15ba5948c5549c6

Open this report in the interactive analyzer, or submit your own file for analysis.