Malicious RTF — malware analysis report

Static analysis result for SHA-256 991707d5baa8fe1d…

MALICIOUS

RTF

953.8 KB Created: 2020-04-27 04:15:00
MD5: 1f6591427ee0a5dc21438c6461b31338 SHA-1: 7225b9d756c8233fa87a330755be056def6f1f63 SHA-256: 991707d5baa8fe1dc96dbc36670f01ce14f9b1f3a8214a82d4fb316eb006f330
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF document contains multiple embedded OLE objects, with one specifically triggering an objupdate event. This suggests an attempt to leverage OLE object activation for malicious purposes, likely to execute embedded code. No specific malware family could be identified, and the document body was truncated, limiting further analysis of the exact payload or lure.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cae.bin
92cf70b1bac83f302696b6090c605a8714ba48600f91e4025651bf847e8760c2		 rtf-objdata-decoded RTF \objdata at offset 0x2CAE 21563 bytes
objdata_01_off00015c15.bin
21f9014cd4154ae13e798d5f6d868be4e24bb8257af57fe210372bbec71c2861		 rtf-objdata-decoded RTF \objdata at offset 0x15C15 21563 bytes
objdata_04_off0004ed5f.bin
f1ae9de5717ca1bfa6249e3a0eccb41f62389701af96f71bc00edf9ba1d5b0a8		 rtf-objdata-decoded RTF \objdata at offset 0x4ED5F 21563 bytes
objdata_08_off0009af17.bin
34d895a6cca8a500c510cbeac9b7261253536afa6c086db872cd74b60b719d8c		 rtf-objdata-decoded RTF \objdata at offset 0x9AF17 21563 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.