MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains embedded OLE objects that are automatically linked and updated, indicating an attempt to execute embedded code. The presence of URL Monikers suggests the OLE object is configured to fetch external content. While no scripts were directly extracted, the heuristics strongly suggest a malicious document designed to exploit OLE object activation for payload delivery, likely via a spearphishing attachment.
Heuristics 6
-
URL Moniker in RTF OLE object high RTF_URL_MONIKER_RELATEDRTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly000002E4 40 inc eax 000002E5 40 inc eax 000002E6 40 inc eax 000002E7 40 inc eax 000002E8 40 inc eax 000002E9 40 inc eax 000002EA 40 inc eax 000002EB 40 inc eax 000002EC 40 inc eax 000002ED 40 inc eax 000002EE 40 inc eax 000002EF 40 inc eax 000002F0 40 inc eax 000002F1 40 inc eax 000002F2 40 inc eax 000002F3 40 inc eax 000002F4 40 inc eax 000002F5 40 inc eax 000002F6 40 inc eax 000002F7 40 inc eax 000002F8 40 inc eax 000002F9 40 inc eax 000002FA 40 inc eax 000002FB 40 inc eax 000002FC 40 inc eax 000002FD 40 inc eax 000002FE 40 inc eax 000002FF 40 inc eax 00000300 40 inc eax 00000301 40 inc eax 00000302 40 inc eax 00000303 40 inc eax 00000304 40 inc eax 00000305 40 inc eax 00000306 40 inc eax 00000307 40 inc eax 00000308 40 inc eax 00000309 40 inc eax 0000030A 40 inc eax 0000030B 40 inc eax 0000030C 40 inc eax 0000030D 40 inc eax 0000030E 40 inc eax 0000030F 40 inc eax 00000310 40 inc eax 00000311 40 inc eax 00000312 40 inc eax 00000313 40 inc eax 00000314 40 inc eax 00000315 40 inc eax 00000316 40 inc eax 00000317 40 inc eax 00000318 40 inc eax 00000319 40 inc eax 0000031A 40 inc eax 0000031B 40 inc eax 0000031C 40 inc eax 0000031D 40 inc eax 0000031E 40 inc eax 0000031F 40 inc eax 00000320 40 inc eax 00000321 40 inc eax 00000322 40 inc eax 00000323 40 inc eax 00000324 40 inc eax 00000325 40 inc eax 00000326 40 inc eax 00000327 40 inc eax 00000328 40 inc eax 00000329 40 inc eax 0000032A 40 inc eax 0000032B 40 inc eax 0000032C 40 inc eax 0000032D 40 inc eax 0000032E 40 inc eax 0000032F 40 inc eax 00000330 40 inc eax 00000331 40 inc eax 00000332 40 inc eax 00000333 40 inc eax 00000334 40 inc eax 00000335 40 inc eax 00000336 40 inc eax 00000337 40 inc eax 00000338 40 inc eax 00000339 40 inc eax 0000033A 40 inc eax 0000033B 40 inc eax 0000033C 40 inc eax 0000033D 40 inc eax 0000033E 40 inc eax 0000033F 40 inc eax 00000340 40 inc eax 00000341 40 inc eax 00000342 40 inc eax 00000343 40 inc eax
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000001a2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1A2 | 3143 bytes |
SHA-256: a47378db62822fa49bc9e74f675dbf0511daeafb7efc52c7599752cab813a104 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.