Malicious RTF — malware analysis report

Static analysis result for SHA-256 5276da8ab9ad886d…

MALICIOUS

RTF

864.7 KB Created: 2020-04-20 08:08:00
MD5: 40eb1048172d7c0e616b62f19145e624 SHA-1: d4928779cdf9ead907f6db5f649b18395a95f24f SHA-256: 5276da8ab9ad886d3fc4421b19beefd9b9633ffb912e3b252e90aba3471b1395
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF file contains multiple embedded OLE objects, with the \objupdate directive indicating an attempt to force activation. This strongly suggests an exploit targeting RTF parsing vulnerabilities to execute embedded content. While no specific payload or script was directly extracted, the presence of multiple OLE objects and the objupdate heuristic point towards a delivery mechanism for a secondary exploit or payload. The document body consists of font information, providing no user-facing lure.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cae.bin
ad247d03182c4e654917d810656d38afa2290bac25f487386e99d7bd4b9dd63f		 rtf-objdata-decoded RTF \objdata at offset 0x2CAE 22075 bytes
objdata_01_off00013e64.bin
50a74247e1a365925d5792a2f233c430ef5b7b8c8c98f8424294aa55f818dce2		 rtf-objdata-decoded RTF \objdata at offset 0x13E64 22075 bytes
objdata_02_off00025125.bin
c432b2d2f63fb8a7b06a1c9b6fe2743e1dc7680ace07d10c7505dffaf5f7848a		 rtf-objdata-decoded RTF \objdata at offset 0x25125 22075 bytes
objdata_03_off000363e6.bin
0ecba64855b79491b929c2bb5417895d5229d2786ddee36e5573f4e161ff79cc		 rtf-objdata-decoded RTF \objdata at offset 0x363E6 22075 bytes
objdata_04_off000476a7.bin
b56086db888b914b53a708bbc942618c6c35b35e65d18afef03da3c0a7beb933		 rtf-objdata-decoded RTF \objdata at offset 0x476A7 22075 bytes
objdata_05_off00058968.bin
c2562c3b98286be451795b0fbbdae59ac8d1de9c4836ba5cafaf4c8cc6779ac8		 rtf-objdata-decoded RTF \objdata at offset 0x58968 22075 bytes
objdata_06_off00069c29.bin
d61fb18ede1d908b2e608776d00443d1d6f4202f3c4f6ea23efffe96e5709068		 rtf-objdata-decoded RTF \objdata at offset 0x69C29 22075 bytes
objdata_07_off0007aeea.bin
462e0041dc188e1eec0696cd0a7ecad0164dd9f6868b45bcc131fff00454f02d		 rtf-objdata-decoded RTF \objdata at offset 0x7AEEA 22075 bytes
objdata_08_off0008c1ab.bin
5d5557f67e3a8761a0d928dc55a294d593267d90cf48842d6ca41e32c4d18c2f		 rtf-objdata-decoded RTF \objdata at offset 0x8C1AB 22075 bytes
objdata_09_off0009d46c.bin
db9413c034d8f393e5147d0077d23db74bbe62581d10965c9659e6c64f28be29		 rtf-objdata-decoded RTF \objdata at offset 0x9D46C 22075 bytes
objdata_10_off000ae72d.bin
3fab5db665ff442816c677c6d65687f3d784d8fc14509d717f33488a7c69c971		 rtf-objdata-decoded RTF \objdata at offset 0xAE72D 22075 bytes
objdata_11_off000bf9ee.bin
474cfb34f9072c5968cbccbb429c4be68a65494c32c49415372b5f93b5e75fa4		 rtf-objdata-decoded RTF \objdata at offset 0xBF9EE 22075 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.