Malicious RTF — malware analysis report

Static analysis result for SHA-256 b560014e8b4cc358…

MALICIOUS

RTF

149.9 KB First seen: 2015-09-24
MD5: 77d868660a83b41991402df5657185c0 SHA-1: edc9015fc11f94f36eeef113255a26ded3855fff SHA-256: b560014e8b4cc358e111e51c3a67438ffc7492950b237040f37a76f64e43f198
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an RTF document identified as malicious. It contains XOR-encoded strings, a common obfuscation technique used by malware. The presence of OLE object data suggests an attempt to embed and execute malicious content, likely via a vulnerability exploited for client execution, leading to initial access through a spearphishing attachment.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'kernel32.dll', 'GetProcAddress', 'VirtualAlloc'
    Disassembly
    Attempted x86 opcode disassembly
    0001D04A  97                xchg edi, eax
0001D04B  99                cdq
0001D04C  8e929990cfce      mov ss, word ptr [edx - 0x31306f67]
0001D052  d29890900000      rcr byte ptr [eax + 0x9090], cl
0001D058  0000              add byte ptr [eax], al
0001D05A  dc00              fadd qword ptr [eax]
0001D05C  d300              rol dword ptr [eax], cl
0001D05E  bd000000bf        mov ebp, 0xbf000000
0001D063  0093009100af      add byte ptr [ebx - 0x50ff6f00], dl
0001D069  008c0099009f00    add byte ptr [eax + eax + 0x9f0099], cl
0001D070  0000              add byte ptr [eax], al
0001D072  8f00              pop dword ptr [eax]
0001D074  99                cdq
0001D075  008e009f0000      add byte ptr [esi + 0x9f00], cl
0001D07B  09400d            or dword ptr [eax + 0xd], eax
0001D07E  2008              and byte ptr [eax], cl
0001D080  a0095009f0        mov al, byte ptr [0xf0095009]
0001D085  08c0              or al, al
0001D087  0d20092009        or eax, 0x9200920
0001D08C  90                nop
0001D08D  088000000000      or byte ptr [eax], al
0001D093  0000              add byte ptr [eax], al
0001D095  0000              add byte ptr [eax], al
0001D097  0000              add byte ptr [eax], al
0001D099  0000              add byte ptr [eax], al
0001D09B  0000              add byte ptr [eax], al
0001D09D  0000              add byte ptr [eax], al
0001D09F  0000              add byte ptr [eax], al
0001D0A1  0000              add byte ptr [eax], al
0001D0A3  0000              add byte ptr [eax], al
0001D0A5  0000              add byte ptr [eax], al
0001D0A7  0000              add byte ptr [eax], al
0001D0A9  00                .byte 0x00
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007d.bin rtf-objdata-decoded RTF \objdata at offset 0x7D 3206 bytes
SHA-256: b086ee6c0071a9b3573d93f54cf608f2d5a475ae5914295088a5ebd8bee5f9fd

Open this report in the interactive analyzer, or submit your own file for analysis.