MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains embedded OLE objects, including a PE executable disguised within hex data. This executable is likely a payload dropped by the RTF file. The presence of URL Monikers suggests an attempt to download additional content or redirect the user. The document body discusses U.S.-Taiwan defense relations, likely a lure to encourage opening the embedded malicious content.
Heuristics 8
-
URL Moniker in RTF OLE object high RTF_URL_MONIKER_RELATEDRTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
-
ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1190KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.nytimes In RTF body
- https://www.foreignpolicyIn RTF body
- https://thediplomat.com/2017/10/indias-dangerous-taiwan-gambitIn RTF body
- https://www.menendez.senate.gov/news-and-events/press/menendez-inhofe-praise-announcement-of-taiwan-arms-packageIn RTF body
- https://foreignaffairs.house.gov/press-release/royce-engel-write-president-u-s-taiwan-relations-ahead-asia-tripIn RTF body
- https://www.cotton.senate.gov/?p=press_release&id=847In RTF body
- http://news.ltn.com.tw/In RTF body
- https://jamestown.org/program/retired-taiwan-officer-exchanges-offer-insight-into-a-modern-united-frontIn RTF body
- https://jamestown.org/program/chinas-espionage-against-taiwan-part-i-analysis-of-recent-operationsIn RTF body
- http://www.taipeitimes.com/News/front/archives/2017/03/11/2003666539In RTF body
- https://jamestown.org/program/taiwan-espionage-cases-highlight-changes-in-chinese-intelligence-operationsIn RTF body
- https://www.wilsoncenter.org/article/magic-weapons-chinas-political-influence-activities-under-xi-jinpingIn RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
- https://creativecommons.org/licenses/by-nc-nd/2.0/In RTF body
- https://www.menendez.senate.gov/news-and-events/press/menendez-inhofe-praise-announcement-of-taiwan-arms-package}{In RTF body
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00047c48.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x47C48 | 591395 bytes |
SHA-256: fc4b632ae9e37346a2404cba28236164d95ae9854748e095ee03f46f48fffdc0 |
|||
embedded_rtf_00047d0b.exe |
embedded-pe | RTF hex-encoded MZ at offset 0x47D0B | 591298 bytes |
SHA-256: 6651061c8d49a292c5545f8134d4e5761d3f6f5909871c33852afb9fb58e2d82 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.