Malicious RTF — malware analysis report

Static analysis result for SHA-256 0f755c0b0c74a4cd…

MALICIOUS

RTF

497.9 KB Created: 2017-12-13 12:51:00 First seen: 2021-02-23
MD5: dc2b5ca7d1d551330b2ae4986f368689 SHA-1: 6936db9e04ed1ad08dde30dc148272d5eaa435ec SHA-256: 0f755c0b0c74a4cda49b7b415c0d162625ded96690cebb929c6901eea2170c4a
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, a common technique for embedding malicious content. ClamAV specifically identifies this file as 'Doc.Exploit.DDEautoexec-6346603-1', indicating a known exploit related to DDE auto-execution. This suggests the file is designed to leverage DDE to run arbitrary commands on the victim's system, likely delivered as a spearphishing attachment.

Heuristics 4

  • ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000035c8.bin rtf-objdata-decoded RTF \objdata at offset 0x35C8 19505 bytes
SHA-256: fee43368a3448f57dd21bcdd985d48377181980814c2f2a99b1b5edb14a79fad
objdata_03_off00025529.bin rtf-objdata-decoded RTF \objdata at offset 0x25529 19505 bytes
SHA-256: bf98a392925e780fa30df447caf81fea3920bc4d0ff9de3e0493e7917e115a41
objdata_07_off000529a9.bin rtf-objdata-decoded RTF \objdata at offset 0x529A9 19505 bytes
SHA-256: a615d352a5bdb79f1db85d36fb1ad97f34eec9f2ea7d9755a217429b939db5c0