Malicious RTF — malware analysis report

Static analysis result for SHA-256 8ef468cca09b1ce9…

MALICIOUS

RTF

451.8 KB Created: 2021-07-30 23:08:00
MD5: 880008035c9259fd38942d1f99fb0093 SHA-1: dbdac903f1cb963405a9783cca20d540e2e5919a SHA-256: 8ef468cca09b1ce93b50c77138ea9c090cf0e09d6e5c7da82390cbbedf6a0fa0
190 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model and Distributed Component Object Model T1559.001 Component Object Model and Distributed Component Object Model: Component Object Model

The RTF document contains OLE object data and is configured to automatically update and activate these objects. This suggests an attempt to leverage OLE vulnerabilities for code execution. The extracted artifact 'objdata_00_off000078f1.bin' is likely the payload or exploit code. No scripts were extracted from this sample.

Heuristics 5

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000078f1.bin
b37d630cabb275f54bd0efaea6f883f84d01f1750705b9019183ea6156f0fcf0		 rtf-objdata-decoded RTF \objdata at offset 0x78F1 75811 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.79, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.