MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The RTF file contains OLE object data and XOR-encoded strings, suggesting it is designed to deliver a malicious payload. The document body fabricates a narrative about an impending economic collapse and a DHS insider, likely intended to create a sense of urgency and manipulate the reader. The presence of embedded OLE object data and XOR encoding indicates a sophisticated attempt to conceal malicious code, possibly for further execution.
Heuristics 4
-
XOR-encoded strings (key 0x3F) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0x3F: 'kernel32.dll', 'advapi32.dll'
Disassembly
Attempted x86 opcode disassembly00017105 54 push esp 00017106 5a pop edx 00017107 4d dec ebp 00017108 51 push ecx 00017109 5a pop edx 0001710A 53 push ebx 0001710B 0c0d or al, 0xd 0001710D 115b53 adc dword ptr [ebx + 0x53], ebx 00017110 53 push ebx 00017111 3f aas 00017112 3f aas 00017113 3f aas 00017114 3f aas 00017115 3f aas 00017116 3f aas 00017117 3f aas 00017118 3f aas 00017119 3f aas 0001711A 3f aas 0001711B 3f aas 0001711C 3f aas 0001711D 3f aas 0001711E 3f aas 0001711F 3f aas 00017120 3f aas 00017121 3f aas 00017122 3f aas 00017123 3f aas 00017124 3f aas 00017125 3f aas 00017126 3f aas 00017127 3f aas 00017128 3f aas 00017129 3f aas 0001712A 3f aas 0001712B 3f aas 0001712C 3f aas 0001712D 3f aas 0001712E 3f aas 0001712F 3f aas 00017130 3f aas 00017131 3f aas 00017132 3f aas 00017133 3f aas 00017134 3f aas 00017135 3f aas 00017136 3f aas 00017137 3f aas 00017138 3f aas 00017139 3f aas 0001713A 3f aas 0001713B 3f aas 0001713C 3f aas 0001713D 3f aas 0001713E 3f aas 0001713F 3f aas 00017140 3f aas 00017141 3f aas 00017142 3f aas 00017143 3f aas 00017144 3f aas 00017145 3f aas 00017146 3f aas 00017147 3f aas 00017148 3f aas 00017149 3f aas 0001714A 3f aas 0001714B 3f aas 0001714C 3f aas 0001714D 3f aas 0001714E 3f aas 0001714F 3f aas 00017150 3f aas 00017151 3f aas 00017152 3f aas 00017153 3f aas 00017154 3f aas 00017155 3f aas 00017156 3f aas 00017157 3f aas 00017158 3f aas 00017159 3f aas 0001715A 3f aas 0001715B 3f aas 0001715C 3f aas 0001715D 3f aas 0001715E 3f aas 0001715F 3f aas 00017160 3f aas 00017161 3f aas 00017162 3f aas 00017163 3f aas 00017164 3f aas
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000a1ea.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA1EA | 5833 bytes |
SHA-256: e11125c66280e4aaa239b51159bbbb1697d74ee790f024ae119805d5fcad8894 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_PEB_ACCESS
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.