MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with one specifically identified as a Package object. The presence of an \objupdate directive strongly suggests an attempt to automatically activate these embedded objects, which is a common technique for executing malicious payloads. While no specific family is identified, the method points to an exploit targeting OLE object handling.
Heuristics 5
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
OLE object data medium RTF_OBJDATARTF contains 5 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
- http://www.cmu.edu/blackboardIn RTF body
- http://www.cmu.edu/blackboard/files/evaluate/tests-example.xlsIn RTF body
- http://www.cmu.edu/blackboard/evaluate#manage_tests/import_questionscIn RTF body
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000244f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x244F | 77358 bytes |
SHA-256: bb3c76ca28920c92485588c3996741e0e06927144717b85c14cc2ec797c32e43 |
|||
objdata_04_off0009ab2f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9AB2F | 6502 bytes |
SHA-256: 4d78aaeea748a71dcb0130caf1f2c86d1f67ede8256319ad5cd481b642f10cad |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.