Malicious RTF — malware analysis report

Static analysis result for SHA-256 69352d1c760de4d4…

MALICIOUS

RTF

635.9 KB Created: 2021-08-31 17:02:00 Authoring application: WPS Office First seen: 2021-09-14
MD5: 5e3618e4198b1a6ce561dde79869ac82 SHA-1: 4e240a494bf03af82fb2104e9aae3532ef0e05f9 SHA-256: 69352d1c760de4d4f6974e788f3036fe02700a6cb77cd24d145c6b54f74ec3b7
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, and a high-severity heuristic indicates that \objupdate forces OLE activation. This suggests the file is designed to exploit OLE object handling to execute arbitrary code. While the document body discusses electronic warfare, the technical indicators point towards a malicious payload delivery mechanism rather than benign content. No scripts were extracted, and the embedded URLs are a mix of benign and unknown reputation, making it difficult to pinpoint the exact payload source.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mae.pennnet.com/articles/article_display.cfm?Section=ARCHI&C=Feat&ARTICLE_ID=191669&KEYWORDS=UAV&p=32 In RTF body
    • http://www.stormingmedia.us/49/4973/A497324.htmlIn RTF body
    • http://www.aviationtoday.com/av/categories/military/845.htmlIn RTF body
    • http://kuku.sawf.org/Emerging+Technologies/2667.aspxIn RTF body
    • http://mae.pennnet.com/articles/article_display.cfm?article_id=202216In RTF body
    • http://www.mputtre.com/id17.htmlIn RTF body
    • http://www.domain-b.com/aero/June/2007/20070611_military.htmIn RTF body
    • http://www.expresscomputeronline.com/20060918/market12.shtmlIn RTF body
    • http://mod.nic.in/samachar/feb15-06/h3.htmIn RTF body
    • http://mae.pennnet.com{In RTF body
    • http://mondedi{In RTF body
    • http://www.aviationtoday.com/av/categories/military/845.html}}}{In RTF body
    • http://mae.pennnet.com/articles/article_display.cfm?article_id=202216}}}{In RTF body
    • http://www.mputtre.com/id17.html}}}{In RTF body
    • http://www.expresscomp{In RTF body
    • http://www.domain-b.com/aero/June/2007/20070611_military.htm}}}{In RTF body
    • http://mod.nic.in/samachar/feb15-06/h3.htm}}}{In RTF body
    • http://www.airpower.maxwell.af.mil/airchronicles/aureview/1974/jan-feb/basham.htmlIn RTF body
    • http://www.usatoday.com/tech/news/techinnovations/2003-11-17-drone-flight_x.htmIn RTF body
    • http://mondediplo.com/1998/02/13warfareIn RTF body
    • http://www.space.com/businesstechnology/070125_ap_ray_gun.htmlIn RTF body
    • http://www.time.com/time/magazine/article/0,9171,1137653,00.htmlIn RTF body
    • http://www.oft.osd.mil/library/library_files/article_63_Jane.docIn RTF body
    • http://www.fas.org/man/dod-101/sys/land/win-t.htmIn RTF body
    • http://www.newsmax.com/archives/articles/2003/3/12/134712.shtmlIn RTF body
    • http://www.hudson.org/files/publications/07_03_29_30_fitzgerald_statement.pdfIn RTF body
    • http://www.usatoday.com/tech/news/techinnovations/2003-11-17-drone-flight_x.htm}}}{In RTF body
    • http://www.space.com/businesstechnology/070125_ap_ray_gun.html}}}{In RTF body
    • http://www.time.com/time/magazine/article/0,9{In RTF body
    • http://www.oft.osd.mil/library/library_files/article_63{In RTF body
    • http://www.fas.org/man{In RTF body
    • http://www.newsmax.com/arch{In RTF body
    • http://www.hudson.org/files/publications/07_03_29_30_fitzgerald_statement.pdf}{In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00025675.bin rtf-objdata-decoded RTF \objdata at offset 0x25675 241916 bytes
SHA-256: 4addb780e73905d9609c477a1d01fc1fc60fb168c292eecc8a148de2c8577dcf
objdata_01_off0009b893.bin rtf-objdata-decoded RTF \objdata at offset 0x9B893 6847 bytes
SHA-256: 46aae0d46afaabc7a436e18ca0b429f0d4db1542ca02a3e618589754f3201fb3
objdata_02_off0009b8ad.bin rtf-objdata-decoded RTF \objdata at offset 0x9B8AD 6843 bytes
SHA-256: c0a92f4b71447b0ac6447e9a91105da681975a7c0c4447d15815cefe22fa456c

Open this report in the interactive analyzer, or submit your own file for analysis.