Malicious RTF — malware analysis report

Static analysis result for SHA-256 0cb861707fe477a3…

MALICIOUS

RTF

428.0 KB Created: 2020-02-12 First seen: 2020-09-07
MD5: d3abb721fc76330c3c3cc153cfe66302 SHA-1: 8d722e5f1580fbb7c3ae3d43cece538bf27cf65f SHA-256: 0cb861707fe477a31041927ebbc5ba7ed0ffbe280b412b021e4598f570f983bb
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The RTF document contains embedded OLE objects, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. The RTF_OBJUPDATE heuristic suggests these objects are activated automatically. A critical heuristic flagged suspicious shellcode API strings and a shellcode URL within an extracted artifact, pointing towards the execution of malicious code. The embedded URL 'http://schemas.mic' is suspicious and likely part of the malicious chain.

Heuristics 5

  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.mic In RTF body
    • http://bit.ly/3dazQp3In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00061438.bin rtf-objdata-decoded RTF \objdata at offset 0x61438 1438 bytes
SHA-256: 810ffe52a558bc7d49331f2cbc31a41f41dc46b5e9b7aebf253eb9d24d903169
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered URL(s): http://bit.ly/3dazQp3 Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_URLDOWNLOAD, SC_PEB_ACCESS Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, URLDownloadToFileA, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.