Malicious RTF — malware analysis report

Static analysis result for SHA-256 385d60a67f9d7940…

MALICIOUS

RTF

251.6 KB Created: 2020-02-12 First seen: 2020-06-01
MD5: cd2782478d49d8af7f0e6f420a00c271 SHA-1: 7d57b7dc6b8292239b38979874a1683bc5bd56ec SHA-256: 385d60a67f9d79403ccea7e19da0dfd64948d9f7ab8430eee23e954c37a95e63
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object that is triggered by \objupdate, indicating an attempt to execute code. Static triage signals include shellcode API strings and a URL, suggesting the embedded object is a downloader for a second-stage payload. The presence of shellcode API strings and a suspicious URL points towards a malicious payload delivery mechanism.

Heuristics 5

  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.mic In RTF body
    • http://bit.ly/3447icTIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0003b64b.bin rtf-objdata-decoded RTF \objdata at offset 0x3B64B 1438 bytes
SHA-256: 90ebc5be749942749b32b42d87399b15175ba2c226c8740225e2dc4ca7b0d1c8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered URL(s): http://bit.ly/3447icT Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_URLDOWNLOAD, SC_PEB_ACCESS Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, URLDownloadToFileA, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.