RTF malware analysis — malicious · 6538c0c11dab72b7

MALICIOUS

RTF

36.6 KB Created: 2016-11-27 22:42:00 First seen: 2020-07-24

MD5: ac8eaf0b2d54f23bfff7ad3f6519ca88 SHA-1: cc7d8121b645330afb685f4a5172e45630e383c4 SHA-256: 6538c0c11dab72b756ae2c3f25dda9026bb789d2f4a8c1c7f355b3f411db55bf

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an OLE object with a URL moniker, indicating an attempt to fetch and execute external content. The presence of OLE object data and URL moniker-related heuristics strongly suggests a malicious document designed to exploit vulnerabilities or download secondary payloads. The benign reputation of the extracted URL does not negate the suspicious nature of the OLE object's functionality.

Heuristics 4

URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED

RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00003180.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3180	2722 bytes
SHA-256: `1b01b95fed69f69f03e6a0449ff31f4cbd1aaf8f588300b88dc31df253f8af6b`

Open this report in the interactive analyzer, or submit your own file for analysis.