Malicious RTF — malware analysis report

Static analysis result for SHA-256 2957e0879e7254c9…

MALICIOUS

RTF

35.7 KB First seen: 2019-08-04
MD5: 7d00c7d0de940dcb23ba314547b86a1e SHA-1: e2a574ca5da2d68feb14ffbbcd0cda5a7970dfd1 SHA-256: 2957e0879e7254c9e7fea61237192e55327379e89fde61caafea8aa1a8c31f49
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to exploit a vulnerability. The embedded URL moniker, although obfuscated, points to a remote resource that is likely the source of a malicious payload. This suggests a spearphishing attachment attack vector aiming for client execution.

Heuristics 4

  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000045d1.bin rtf-objdata-decoded RTF \objdata at offset 0x45D1 7688 bytes
SHA-256: 51d1a4d804cdbcfddea905f57cb4791a171e51173748b1a118240476b9f00792

Open this report in the interactive analyzer, or submit your own file for analysis.