Malicious RTF — malware analysis report

Static analysis result for SHA-256 1120275dc25bc9a7…

MALICIOUS

RTF

710.1 KB Created: 2021-03-20 18:07:00
MD5: 2355186c6e027db1c2d3c9f9ea87e6ab SHA-1: 26db9edbe980980a3c5f154f090f42e3fccb1058 SHA-256: 1120275dc25bc9a7b3e078138c7240fbf26c91890d829e51d9fa837fe90237ed
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The RTF file contains embedded OLE objects, with heuristics indicating the use of URL monikers and an objupdate command to force OLE activation. This suggests the document is designed to exploit vulnerabilities or trick the user into executing embedded content, likely a secondary payload downloaded from a URL. The document body, presented as a news report on COVID-19 statistics, serves as a lure.

Heuristics 6

  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://iz.ru/1138062/2021-03-17/v-rf-razrabatyvaiut-pribor-dlia-izmereniia-antitel-k-koronavirusu-doma
    • https://tass.ru/obschestvo/10914023
    • https://ria.ru/20210316/viza-1601506501.html
    • https://radiosputnik.ria.ru/20210317/antitela-1601729266.html
    • https://www.vesti.ru/article/2538144
    • http://schemas.microsoft.com/office/word/2003/wordml
    • https://radiosputnik.ria.ru/20210317/antitela-1601729266.html}{

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0001ff63.bin
f91a60361ad5897aac356db3d551513afeea30df0da1ae8570c3bfff3b72c63d		 rtf-objdata-decoded RTF \objdata at offset 0x1FF63 291032 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off000ae139.bin
e20116a9464db03fa045b5f891da52f017a31445087915be01bf3126af94c2db		 rtf-objdata-decoded RTF \objdata at offset 0xAE139 6847 bytes
objdata_02_off000ae153.bin
d3b5499686bcbdea38979e303c855f973cdc13e64c6e67fa4a3af1711608a393		 rtf-objdata-decoded RTF \objdata at offset 0xAE153 6843 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.