Malicious RTF — malware analysis report

Static analysis result for SHA-256 a13ec5a6e7762b60…

MALICIOUS

RTF

317.4 KB Created: 2013-05-08 11:29:00 First seen: 2015-10-01
MD5: aff1c9b0c8d13c88dc7f47ed12e72534 SHA-1: 469462787b040a43771f70dc14b122f818cfe687 SHA-256: a13ec5a6e7762b60882227640b57a32acd711fb6c706eabd1b9613e937e3e356
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The document body displays an error message, likely a social engineering tactic to trick the user into interacting with the embedded object. The SC_XOR_ENCODED heuristic suggests obfuscated content within the file, and ClamAV detected it as a Trojan Agent. While no scripts were directly extracted, the presence of an embedded OLE object and obfuscated strings points towards a malicious payload delivery.

Heuristics 5

  • ClamAV: Rtf.Trojan.Agent-1388623 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Trojan.Agent-1388623
  • XOR-encoded strings (key 0x3F) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x3F: 'CreateProcessA', 'ShellExecuteW'
    Disassembly
    Attempted x86 opcode disassembly
    0003D887  7c4d              jl 0x3d8d6
    0003D889  5a                pop edx
    0003D88A  5e                pop esi
    0003D88B  4b                dec ebx
    0003D88C  5a                pop edx
    0003D88D  6f                outsd dx, dword ptr [esi]
    0003D88E  4d                dec ebp
    0003D88F  50                push eax
    0003D890  5c                pop esp
    0003D891  5a                pop edx
    0003D892  4c                dec esp
    0003D893  4c                dec esp
    0003D894  7e4c              jle 0x3d8e2
    0003D896  6a4c              push 0x4c
    0003D898  5a                pop edx
    0003D899  4d                dec ebp
    0003D89A  683f3f3f3f        push 0x3f3f3f3f
    0003D89F  6c                insb byte ptr es:[edi], dx
    0003D8A0  57                push edi
    0003D8A1  5a                pop edx
    0003D8A2  53                push ebx
    0003D8A3  53                push ebx
    0003D8A4  7a47              jp 0x3d8ed
    0003D8A6  5a                pop edx
    0003D8A7  5c                pop esp
    0003D8A8  4a                dec edx
    0003D8A9  4b                dec ebx
    0003D8AA  5a                pop edx
    0003D8AB  7a47              jp 0x3d8f4
    0003D8AD  683f3f3f6d        push 0x6d3f3f3f
    0003D8B2  5a                pop edx
    0003D8B3  5e                pop esi
    0003D8B4  53                push ebx
    0003D8B5  6c                insb byte ptr es:[edi], dx
    0003D8B6  57                push edi
    0003D8B7  5a                pop edx
    0003D8B8  53                push ebx
    0003D8B9  53                push ebx
    0003D8BA  7a47              jp 0x3d903
    0003D8BC  5a                pop edx
    0003D8BD  5c                pop esp
    0003D8BE  4a                dec edx
    0003D8BF  4b                dec ebx
    0003D8C0  5a                pop edx
    0003D8C1  683f3f3f6c        push 0x6c3f3f3f
    0003D8C6  777d              ja 0x3d945
    0003D8C8  4d                dec ebp
    0003D8C9  50                push eax
    0003D8CA  48                dec eax
    0003D8CB  4c                dec esp
    0003D8CC  5a                pop edx
    0003D8CD  7950              jns 0x3d91f
    0003D8CF  4d                dec ebp
    0003D8D0  7950              jns 0x3d922
    0003D8D2  53                push ebx
    0003D8D3  5b                pop ebx
    0003D8D4  5a                pop edx
    0003D8D5  4d                dec ebp
    0003D8D6  683f3f3f3f        push 0x3f3f3f3f
    0003D8DB  3f                aas
    0003D8DC  3f                aas
    0003D8DD  3f                aas
    0003D8DE  3f                aas
    0003D8DF  3f                aas
    0003D8E0  3f                aas
    0003D8E1  3f                aas
    0003D8E2  3f                aas
    0003D8E3  3f                aas
    0003D8E4  3f                aas
    0003D8E5  3f                aas
    0003D8E6  3f                aas
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00007f90.bin rtf-objdata-decoded RTF \objdata at offset 0x7F90 7096 bytes
SHA-256: 920e09c6ba7144ac8b14bd7e582ddb2d55a2c6313bdd60f1a38f1819845742a0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_PEB_ACCESS