MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The RTF document contains numerous OLE objects with excessive hex data, and a ".objupdate" directive that forces OLE activation. This strongly suggests an attempt to exploit OLE vulnerabilities to execute embedded code. While the document body mentions a completed payment, the technical indicators point to a malicious payload delivery mechanism rather than legitimate content. No scripts were extracted, and the single embedded URL was confirmed benign, limiting further analysis of the payload's intent.
Heuristics 5
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1022KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 75 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gpow.wellsfargo.com/gpow/Payments/CompletedPayments.do}{
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00032211.bin20a927f4029465fb78fe75edde31dac019eff67b95f56fea76067f1fca5df66d |
rtf-objdata-decoded | RTF \objdata at offset 0x32211 | 17467 bytes |
objdata_01_off0004011d.bin1dc3aeb84a3db1ee3acf885f2b38ec10e789cd7eb92f3d7bb3f28918d533730f |
rtf-objdata-decoded | RTF \objdata at offset 0x4011D | 17467 bytes |
objdata_10_off000bd889.binbb5f79cb142bfe5310da5ef5192e6775af050fef67a175231876aba8a9385875 |
rtf-objdata-decoded | RTF \objdata at offset 0xBD889 | 17467 bytes |
objdata_19_off0013aff5.bin60fb4300d9d392f82b1ce9d80d36506e1ebe3e1ab70f469136ec6777bb48ef95 |
rtf-objdata-decoded | RTF \objdata at offset 0x13AFF5 | 17467 bytes |
objdata_27_off001aa855.bin3e43be6e04072e08da0c2e6afa44b9ff029034fe96118ee7092d9f78d43b3c1b |
rtf-objdata-decoded | RTF \objdata at offset 0x1AA855 | 17467 bytes |
objdata_34_off0020c1a9.bin51b6cc8f0e1954d22a7042d1900962c3c63daecb0ddf9ff37d9016de35a09878 |
rtf-objdata-decoded | RTF \objdata at offset 0x20C1A9 | 17467 bytes |
objdata_43_off00289915.binb55e8a01643314c14ddf906219796b948c4444cac6196656af88b7b74965009c |
rtf-objdata-decoded | RTF \objdata at offset 0x289915 | 17467 bytes |
objdata_51_off002f9175.bin0c45f3b939806e7028c038e79e62fc1205b50416a9e384f55cecd84e52b8dc1b |
rtf-objdata-decoded | RTF \objdata at offset 0x2F9175 | 17467 bytes |
objdata_59_off003689d5.bin212f75dfbe5b1ecdec9f984c92d424e492c649387f7136276cdb48e894d23466 |
rtf-objdata-decoded | RTF \objdata at offset 0x3689D5 | 17467 bytes |
objdata_67_off003d8235.binf5882ec8deea4b0152a4826b4badd9c6af5583785eac50f716481fa4ae83d056 |
rtf-objdata-decoded | RTF \objdata at offset 0x3D8235 | 17467 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.