Malicious RTF — malware analysis report

Static analysis result for SHA-256 5c8810781b90df96…

MALICIOUS

RTF

1.01 MB Created: 2019-01-07 23:54:00
MD5: f4e70ad14a7ad338640d94ee3f7c7ed4 SHA-1: e597f0cfd84338c865f426acf93f5244abbe6e79 SHA-256: 5c8810781b90df96a838fdd8108264d3d87c7d05a997c2c210fb67433297b6ac
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with a high heuristic score for ".objupdate" forcing OLE activation and a package object class. A significant amount of hex-encoded data within these objects suggests it is used to hide a payload. The presence of embedded OLE objects and the potential for exploitation points towards a spearphishing attachment delivery method.

Heuristics 6

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1013KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 6 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml
    • http://www.cmu.edu/blackboard
    • http://www.cmu.edu/blackboard/files/evaluate/tests-example.xls
    • http://www.cmu.edu/blackboard/evaluate#manage_tests/import_questionsc

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002483.bin
d489e80ead956385a029c1c42a1554329f100272357b3340efab5c923fd96c7c		 rtf-objdata-decoded RTF \objdata at offset 0x2483 100910 bytes
objdata_05_off000fa766.bin
be306341e1481ee02d5ad0fc72cde5c3575623c29b0958bc66c51e5592bb193f		 rtf-objdata-decoded RTF \objdata at offset 0xFA766 1271 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.