Malicious RTF — malware analysis report

Static analysis result for SHA-256 0d87e102de569fc5…

MALICIOUS

RTF

183.9 KB First seen: 2019-01-31
MD5: 3f6e4dff2f029b7a7d468e464c956e77 SHA-1: 7a56b89c7ea689c2dc1d762f3561f154fc58847c SHA-256: 0d87e102de569fc56af43a212990ccf9fda09441d198e441a367b0f54831760d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an "ENABLE EDITING" lure, a common social engineering tactic to bypass security measures. Heuristics indicate the presence of embedded OLE objects and an attempt to force their activation, suggesting the file is designed to execute a secondary payload. No specific family could be identified.

Heuristics 4

  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x0C bytes found
    Disassembly
    Attempted x86 opcode disassembly
    00000065  0c0c              or al, 0xc
00000067  0c0c              or al, 0xc
00000069  0c0c              or al, 0xc
0000006B  0c0c              or al, 0xc
0000006D  0c0c              or al, 0xc
0000006F  0c0c              or al, 0xc
00000071  0c0c              or al, 0xc
00000073  0c0c              or al, 0xc
00000075  0c0c              or al, 0xc
00000077  0c0c              or al, 0xc
00000079  0c0c              or al, 0xc
0000007B  0c0c              or al, 0xc
0000007D  0c0c              or al, 0xc
0000007F  0c0c              or al, 0xc
00000081  0c0c              or al, 0xc
00000083  0c0c              or al, 0xc
00000085  0c0c              or al, 0xc
00000087  0c0c              or al, 0xc
00000089  0c0c              or al, 0xc
0000008B  0c0c              or al, 0xc
0000008D  0c0c              or al, 0xc
0000008F  0c0c              or al, 0xc
00000091  0c0c              or al, 0xc
00000093  0c0c              or al, 0xc
00000095  0c0c              or al, 0xc
00000097  0c0c              or al, 0xc
00000099  0c0c              or al, 0xc
0000009B  0c0c              or al, 0xc
0000009D  0c0c              or al, 0xc
0000009F  0c0c              or al, 0xc
000000A1  0c0c              or al, 0xc
000000A3  0c0c              or al, 0xc
000000A5  0c0c              or al, 0xc
000000A7  0c0c              or al, 0xc
000000A9  0c0c              or al, 0xc
000000AB  0c0c              or al, 0xc
000000AD  0c0c              or al, 0xc
000000AF  0c0c              or al, 0xc
000000B1  0c0c              or al, 0xc
000000B3  0c0c              or al, 0xc
000000B5  0c0c              or al, 0xc
000000B7  0c0c              or al, 0xc
000000B9  0c0c              or al, 0xc
000000BB  0c0c              or al, 0xc
000000BD  0c0c              or al, 0xc
000000BF  0c0c              or al, 0xc
000000C1  0c0c              or al, 0xc
000000C3  0c0c              or al, 0xc
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000509b.bin rtf-objdata-decoded RTF \objdata at offset 0x509B 50170 bytes
SHA-256: 08779fdc5cc11c5bf75f6bf421dc62d74397c24f670bfa80f333ab06583fb0ab

Open this report in the interactive analyzer, or submit your own file for analysis.