Malicious RTF — malware analysis report

Static analysis result for SHA-256 b7fcef42b2cc33c6…

MALICIOUS

RTF

389.3 KB Created: 2021-07-02 08:24:00 First seen: 2021-07-07
MD5: c03f17a06b967a6b5e1b41817ee2c638 SHA-1: c0eb726ba90ac4fba5c4cc74b5801e218c14c953 SHA-256: b7fcef42b2cc33c668f67f4bd7718f75513a19d9302512f7f56d76ac6b869ea3
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple OLE object data sections and triggers OLE activation via \objupdate. This suggests an attempt to exploit OLE object handling to execute embedded content, likely leading to a secondary payload. No document body text was available for further context on the lure.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 6 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002926.bin rtf-objdata-decoded RTF \objdata at offset 0x2926 19515 bytes
SHA-256: c82314f3276386e554859173c3cf542c6091d469d931b4574d45642ffcf60b1d
objdata_01_off000117fe.bin rtf-objdata-decoded RTF \objdata at offset 0x117FE 19515 bytes
SHA-256: 6dcae8aaf011a6fd176a67043a2a6347b3c7c8d4116b93848b1192001998dc66
objdata_02_off000206d4.bin rtf-objdata-decoded RTF \objdata at offset 0x206D4 19515 bytes
SHA-256: adb9f8c018d145fde37ab553fb8a5d5074a085283b950a8ead8703435f8e247d
objdata_03_off0002f5aa.bin rtf-objdata-decoded RTF \objdata at offset 0x2F5AA 19515 bytes
SHA-256: 0caf1d25ecfaaec9fd831a57c05e7fb5d0ad4b58f74f2692e63692f13d78b9b7
objdata_04_off0003e587.bin rtf-objdata-decoded RTF \objdata at offset 0x3E587 19515 bytes
SHA-256: f9d4f649286c370a417cf2476860d4bcaf172f67a013dab6f6e599266b3dd186
objdata_05_off0004d564.bin rtf-objdata-decoded RTF \objdata at offset 0x4D564 19515 bytes
SHA-256: e4c86194e06dc63db70d42483e8b4a2f3cee8f4704363ec27913926ea6350933

Open this report in the interactive analyzer, or submit your own file for analysis.