MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains heuristics indicating it embeds OLE objects and uses lures related to invoices and password-protected archives. The document body discusses financial connectivity specifications, which serves as a pretext to encourage the user to interact with the embedded content. The presence of PEB access and GetPC stub calls suggests the embedded object is likely an exploit or shellcode designed to execute.
Heuristics 7
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.microsoft.com/industry/bank/online.htm
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00013102.bin2197ed909883ce67f348c5c90a50008f39fb8681c0057bfbc15ba5948c5549c6 |
rtf-objdata-decoded | RTF \objdata at offset 0x13102 | 37989 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.