Malicious RTF — malware analysis report

Static analysis result for SHA-256 43d6499161db00f1…

MALICIOUS

RTF

108.9 KB First seen: 2015-09-18
MD5: 13cda4333392ef64757d09901e0175a0 SHA-1: b0334817dd504aba0c6d27c5ca704f520377efec SHA-256: 43d6499161db00f1f4061371bf54a6be3b69805e2e34eb6434f0479d2c43a729
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The SC_XOR_ENCODED heuristic suggests that strings within the file are obfuscated using XOR encryption with a key of 0xFC, a common technique for hiding malicious code or URLs. While no specific URLs or scripts were directly extracted and readable, the presence of these indicators strongly suggests an attempt to exploit a client execution vulnerability, likely to download and run a further stage of malware.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'kernel32.dll', 'LoadLibraryA', 'LoadLibraryW', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'CreateProcessW', 'CreateProcessW'
    Disassembly
    Attempted x86 opcode disassembly
    000137FF  97                xchg edi, eax
00013800  99                cdq
00013801  8e929990cfce      mov ss, word ptr [edx - 0x31306f67]
00013807  d29890900000      rcr byte ptr [eax + 0x9090], cl
0001380D  0000              add byte ptr [eax], al
0001380F  bf8e999d88        mov edi, 0x889d998e
00013814  99                cdq
00013815  ba959099ab        mov edx, 0xab999095
0001381A  00ac8e939f998f    add byte ptr [esi + ecx*4 - 0x7066606d], ch
00013821  8f                .byte 0x8f
00013822  cf                iretd
00013823  ce                into
00013824  b299              mov dl, 0x99
00013826  8488000000ac      test byte ptr [eax - 0x54000000], cl
0001382C  8e939f998f8f      mov ss, word ptr [ebx - 0x70706661]
00013832  cf                iretd
00013833  ce                into
00013834  ba958e8f88        mov edx, 0x888f8e95
00013839  0000              add byte ptr [eax], al
0001383B  ac                lodsb al, byte ptr [esi]
0001383C  99                cdq
0001383D  99                cdq
0001383E  97                xchg edi, eax
0001383F  b29d              mov dl, 0x9d
00013841  91                xchg ecx, eax
00013842  99                cdq
00013843  ac                lodsb al, byte ptr [esi]
00013844  95                xchg ebp, eax
00013845  8c9900000000      mov word ptr [ecx], ds
0001384B  bb9988b88e        mov ebx, 0x8eb88899
00013850  95                xchg ebp, eax
00013851  8a99a8858c99      mov bl, byte ptr [ecx - 0x66737a58]
00013857  ab                stosd dword ptr es:[edi], eax
00013858  0000              add byte ptr [eax], al
0001385A  0000              add byte ptr [eax], al
0001385C  0000              add byte ptr [eax], al
0001385E  00                .byte 0x00
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000006e.bin rtf-objdata-decoded RTF \objdata at offset 0x6E 3894 bytes
SHA-256: 843dbdf3ff50a85ef44b24b14b85cdf31af98def6f8ff4a76bc05671df83c948

Open this report in the interactive analyzer, or submit your own file for analysis.