Malicious RTF — malware analysis report

Static analysis result for SHA-256 b9802a2bd9916e39…

MALICIOUS

RTF

480.2 KB Authoring application: Msftedit 5.41.15.1515 First seen: 2015-09-16
MD5: 2a5e5d3c536da346849750a4b8c8613a SHA-1: 0c3cba5998c4d52e01c15315b6bed74acb847404 SHA-256: b9802a2bd9916e391a72ff0eb8ca7e99003e874c91c83e9a64ffa4302f170f4c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects, including a package object, and critically, a PE header within hex data. The document body instructs the user to click on an embedded image, likely a lure to execute the embedded malicious object. The presence of a PE header strongly suggests the embedded object is a portable executable payload.

Heuristics 4

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000d2.bin rtf-objdata-decoded RTF \objdata at offset 0xD2 223753 bytes
SHA-256: 3eb8224b8ca3fc069e9cb3dcbe9e738ab8bf0a442362a12533fc5571158e5642

Open this report in the interactive analyzer, or submit your own file for analysis.