MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects, indicated by the RTF_OBJDATA and RTF_OBJEMB heuristics. The presence of an embedded URL, though many are benign, suggests an attempt to download additional content. The x86 GetPC stub heuristic points to potential shellcode execution. Given these factors, the file likely exploits a client-side vulnerability to execute code, possibly as part of a spearphishing attachment.
Heuristics 4
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly0021E56E e800000000 call 0x21e573 0021E573 58 pop eax 0021E574 0e push cs 0021E575 0000 add byte ptr [eax], al 0021E577 000e add byte ptr [esi], cl 0021E579 0000 add byte ptr [eax], al 0021E57B 000a add byte ptr [edx], cl 0021E57D 0000 add byte ptr [eax], al 0021E57F 0800 or byte ptr [eax], al 0021E581 50 push eax 0021E582 0000 add byte ptr [eax], al 0021E584 008907000001 add byte ptr [ecx + 0x1000007], cl 0021E58A 0001 add byte ptr [ecx], al 0021E58C 0001 add byte ptr [ecx], al 0021E58E 00ff add bh, bh 0021E590 0000 add byte ptr [eax], al 0021E592 0200 add al, byte ptr [eax] 0021E594 0000 add byte ptr [eax], al 0021E596 0100 add dword ptr [eax], eax 0021E598 b60f mov dh, 0xf 0021E59A 0000 add byte ptr [eax], al 0021E59C 0000 add byte ptr [eax], al 0021E59E 0100 add dword ptr [eax], eax 0021E5A0 0900 or dword ptr [eax], eax 0021E5A2 3100 xor dword ptr [eax], eax 0021E5A4 ff00 inc dword ptr [eax] 0021E5A6 0000 add byte ptr [eax], al 0021E5A8 f5 cmc 0021E5A9 0101 add dword ptr [ecx], eax 0021E5AB bbbb0200ff mov ebx, 0xff0002bb 0021E5B0 ff00 inc dword ptr [eax] 0021E5B2 0000 add byte ptr [eax], al 0021E5B4 0001 add byte ptr [ecx], al 0021E5B6 de00 fiadd word ptr [eax] 0021E5B8 0010 add byte ptr [eax], dl 0021E5BA 16 push ss 0021E5BB 0000 add byte ptr [eax], al 0021E5BD 0300 add eax, dword ptr [eax] 0021E5BF 1200 adc al, byte ptr [eax] 0021E5C1 45 inc ebp 0021E5C2 646974456e67696e65 imul esi, dword ptr fs:[ebp + eax*2 + 0x6e], 0x656e6967 0021E5CB 49 dec ecx 0021E5CC 7465 je 0x21e633
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.attachmate.com/emissary/emcen.html In RTF body
- http://www.operasoftware.com/In RTF body
- http://www.enreach.com/In RTF body
- http://www.einet.net/EINet/WinWeb/WinWebHome.htmlIn RTF body
- http://www.lirmm.fr/~gutkneco/maclynx/In RTF body
- http://members.bellatlantic.net/~sweyer/newton/In RTF body
- http://www.yggdrasil.com/In RTF body
- http://demos.anu.edu.au/steve/papers/Tcl-Workshop-96/ball.htmlIn RTF body
- http://www.amitrix.com/In RTF body
- http://www.omnipresence.com/ibrowse/In RTF body
- http://www.vapor.com/voyager/In RTF body
- http://www.finale-dev.com/In RTF body
- http://www.student.informatik.th-darmstadt.de/~aclauss/cab.htmlIn RTF body
- http://icount.com/In RTF body
- http://www.b-online.de/webhits/In RTF body
- http://www.hot-count.com/In RTF body
- http://counter.mops.de/In RTF body
- http://www.breu.de/counter.htmlIn RTF body
- http://www.fxweb.com/In RTF body
- http://fwm-counter.com/In RTF body
- http://www.lpage.com/In RTF body
- http://www.GuestPAD.com/In RTF body
- http://mailservice.cwak.com/In RTF body
- http://www.netmind.com/In RTF body
- http://www.infostar.de/webindex/tip.htmIn RTF body
- http://www.buschi.com/In RTF body
- http://lpage.com/cgiexample.htmlIn RTF body
- http://www.jmarshall.com/easy/cgi/german/In RTF body
- http://www.xwolf.com/In RTF body
- http://www.hotcgi.com/In RTF body
- http://www.worldwidemart.com/scripts/In RTF body
- http://www.selah.net/cgi.htmlIn RTF body
- http://www.extropia.com/Scripts/In RTF body
- http://webreview.com/xml/In RTF body
- http://screenExa.net/In RTF body
- http://www.suchfibel.de/maschinisten/In RTF body
- http://www.teamone.de/cgi-local/index-search.plIn RTF body
- http://www.ecma.ch/stand/ecma-262.htmIn RTF body
- http://javascript.seite.net/In RTF body
- http://home.netscape.com/In RTF body
- http://home.de.netscape.com/de/In RTF body
- http://www.microsoft.com/In RTF body
- http://www.eu.microsoft.com/germany/In RTF body
- http://www.uni-ulm.de/~richter/udiwww/index.htmIn RTF body
- http://www.ncsa.uiuc.edu/SDG/Software/WinMosaic/HomePage.htmlIn RTF body
- http://www.cyberdog.apple.com/In RTF body
- http://www.ncsa.uiuc.edu/SDG/Software/MacMosaic/MacMosaicHome.htmlIn RTF body
- http://www.raleigh.ibm.com/WebExplorer/In RTF body
- http://www.ncsa.uiuc.edu/SDG/Software/WinMosaic/OS2.htmIn RTF body
- http://www.cs.indiana.edu/elisp/w3/docs.htmlIn RTF body
+23 more URL(s)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0004fd14.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4FD14 | 60584 bytes |
SHA-256: 2389bb4c82d2e4563e70501ac58a1ed4b6b39698fb756608762c035042086dfd |
|||
objdata_01_off00071844.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x71844 | 60584 bytes |
SHA-256: 5057c29214c4682470a7bab7cfb85bbd994318bb4261307f4689864909cc4fc9 |
|||
objdata_02_off00094eef.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x94EEF | 87494 bytes |
SHA-256: bc62014a34750988091d3e7858ec839eb99948b4676eb5cf1a4d0ef1da234a76 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.