Malicious RTF — malware analysis report

Static analysis result for SHA-256 32a7b9ba1e472352…

MALICIOUS

RTF

92.7 KB Created: 2013-04-17 18:27:00 First seen: 2015-09-17
MD5: 1ec61dcf69ffdd88cfd5e117fff14bf0 SHA-1: 9d72a5f4620b10b695bca2819eee5ec6580d10b0 SHA-256: 32a7b9ba1e47235210e141ef875e3b2334dd36d30bad49006e09721c2c8bf741
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and XOR-encoded strings, suggesting it is designed to deliver a malicious payload. The document body fabricates a narrative about an impending economic collapse and a DHS insider, likely intended to create a sense of urgency and manipulate the reader. The presence of embedded OLE object data and XOR encoding indicates a sophisticated attempt to conceal malicious code, possibly for further execution.

Heuristics 4

  • XOR-encoded strings (key 0x3F) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x3F: 'kernel32.dll', 'advapi32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    00017105  54                push esp
00017106  5a                pop edx
00017107  4d                dec ebp
00017108  51                push ecx
00017109  5a                pop edx
0001710A  53                push ebx
0001710B  0c0d              or al, 0xd
0001710D  115b53            adc dword ptr [ebx + 0x53], ebx
00017110  53                push ebx
00017111  3f                aas
00017112  3f                aas
00017113  3f                aas
00017114  3f                aas
00017115  3f                aas
00017116  3f                aas
00017117  3f                aas
00017118  3f                aas
00017119  3f                aas
0001711A  3f                aas
0001711B  3f                aas
0001711C  3f                aas
0001711D  3f                aas
0001711E  3f                aas
0001711F  3f                aas
00017120  3f                aas
00017121  3f                aas
00017122  3f                aas
00017123  3f                aas
00017124  3f                aas
00017125  3f                aas
00017126  3f                aas
00017127  3f                aas
00017128  3f                aas
00017129  3f                aas
0001712A  3f                aas
0001712B  3f                aas
0001712C  3f                aas
0001712D  3f                aas
0001712E  3f                aas
0001712F  3f                aas
00017130  3f                aas
00017131  3f                aas
00017132  3f                aas
00017133  3f                aas
00017134  3f                aas
00017135  3f                aas
00017136  3f                aas
00017137  3f                aas
00017138  3f                aas
00017139  3f                aas
0001713A  3f                aas
0001713B  3f                aas
0001713C  3f                aas
0001713D  3f                aas
0001713E  3f                aas
0001713F  3f                aas
00017140  3f                aas
00017141  3f                aas
00017142  3f                aas
00017143  3f                aas
00017144  3f                aas
00017145  3f                aas
00017146  3f                aas
00017147  3f                aas
00017148  3f                aas
00017149  3f                aas
0001714A  3f                aas
0001714B  3f                aas
0001714C  3f                aas
0001714D  3f                aas
0001714E  3f                aas
0001714F  3f                aas
00017150  3f                aas
00017151  3f                aas
00017152  3f                aas
00017153  3f                aas
00017154  3f                aas
00017155  3f                aas
00017156  3f                aas
00017157  3f                aas
00017158  3f                aas
00017159  3f                aas
0001715A  3f                aas
0001715B  3f                aas
0001715C  3f                aas
0001715D  3f                aas
0001715E  3f                aas
0001715F  3f                aas
00017160  3f                aas
00017161  3f                aas
00017162  3f                aas
00017163  3f                aas
00017164  3f                aas
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000a1ea.bin rtf-objdata-decoded RTF \objdata at offset 0xA1EA 5833 bytes
SHA-256: e11125c66280e4aaa239b51159bbbb1697d74ee790f024ae119805d5fcad8894
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_PEB_ACCESS

Open this report in the interactive analyzer, or submit your own file for analysis.