Malicious RTF — malware analysis report

Static analysis result for SHA-256 d347e2dc6f3dbea7…

MALICIOUS

RTF

73.7 KB First seen: 2019-08-04
MD5: 7a680473af92958dd8095df20747c232 SHA-1: 75a2c0001edade614062ae21870c3808aa584796 SHA-256: d347e2dc6f3dbea7eedcef82eeeca3161c8b916c33ebed411831994abf7248b3
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects, with one specifically triggered by \objupdate, indicating an attempt to execute embedded content. Heuristics also flag suspicious extracted artifacts, including shellcode API strings. While no specific malware family is identified, the techniques suggest a malicious document designed to exploit embedded objects.

Heuristics 5

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0001187e.bin rtf-objdata-decoded RTF \objdata at offset 0x1187E 1549 bytes
SHA-256: 160b41223d7f14023a715b7d0905664ac690e1d6a1bd39fcb3fbe49d34740b7e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_URLDOWNLOAD, SC_PEB_ACCESS Static shellcode analysis recovered API/import strings: LoadLibraryW, GetProcAddress, URLDownloadToFileW, CreateProcessA, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.