Malicious RTF — malware analysis report

Static analysis result for SHA-256 da5636063cb382e5…

MALICIOUS

RTF

452.3 KB Created: 2018-08-17 15:48:00 First seen: 2019-05-10
MD5: e5ef24dd976440b044a4ad49c2a1d536 SHA-1: b159ceb1c75c539b4a5963b2d280b5afcca11c66 SHA-256: da5636063cb382e5df408590d945689e3551a5bcf39406b6025a5c6d8bd59dd3
122 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects with embedded data, and the ".objupdate" directive indicates an attempt to trigger OLE activation. This strongly suggests the file is designed to exploit vulnerabilities related to OLE object handling for client-side execution. The presence of a benign URL does not detract from the malicious indicators.

Heuristics 5

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000039dc.bin rtf-objdata-decoded RTF \objdata at offset 0x39DC 31291 bytes
SHA-256: 4106211fb67f822f774a0739cf2207550996e3857380f311491cefd8a09fda78
objdata_01_off0001866c.bin rtf-objdata-decoded RTF \objdata at offset 0x1866C 31291 bytes
SHA-256: 4ac51f938b0ff756937917e9b997d4d90c6189ad75e0bbda2b0c3901123f3804
objdata_02_off0002d2fe.bin rtf-objdata-decoded RTF \objdata at offset 0x2D2FE 31291 bytes
SHA-256: ce68fdd00b5218a07939507f0a01e22fa8c381ba6f52377f28123cf36e74ec91
objdata_03_off00041f90.bin rtf-objdata-decoded RTF \objdata at offset 0x41F90 31291 bytes
SHA-256: 41f036268b388e1e7795fce2e7f5711f7f211faaa955b11a99dd76f32f0bbf13
objdata_04_off00056c22.bin rtf-objdata-decoded RTF \objdata at offset 0x56C22 31291 bytes
SHA-256: f32661d91c1b0c1a8db5495bb0109fe69238ccb7ea5a15a321b750b07da0cf46

Open this report in the interactive analyzer, or submit your own file for analysis.