Malicious RTF — malware analysis report

Static analysis result for SHA-256 8ecf1c276e10e3f3…

MALICIOUS

RTF

229.0 KB Created: 2020-08-07 14:21:00
MD5: feb6a0dc922843c710bd18edddb67980 SHA-1: f317a837f52c4488e3de6eb665f13ae582474b47 SHA-256: 8ecf1c276e10e3f3e9f7bc9e728fde9abea23348a2af6ce70269008d632a412d
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF file contains embedded OLE objects, indicated by RTF_OBJDATA, RTF_OBJEMB, and RTF_OBJCLASS_PACKAGE heuristics. The RTF_OBJUPDATE heuristic suggests that the embedded object is designed to be activated automatically. Crucially, a PE header (RTF_MZ_HEX) was found within the OLE object's data, strongly indicating that the embedded object is a Windows executable. This points to a delivery mechanism for a malicious payload, likely via a spearphishing attachment.

Heuristics 6

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003f7c.bin
12c8f5ce1141db3f91713157c43be571f6041e77f2bd0e8bca039a1f505fe380		 rtf-objdata-decoded RTF \objdata at offset 0x3F7C 85852 bytes
objdata_01_off000335aa.bin
850f4b644f95e1ba8bf9bf1ddc484036f321887ecee0df95f57497fde0b754f3		 rtf-objdata-decoded RTF \objdata at offset 0x335AA 1069 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.