Malicious RTF — malware analysis report

Static analysis result for SHA-256 da911dbae8b2165a…

MALICIOUS

RTF

414.6 KB Created: 2019-01-23 19:55:00 First seen: 2020-07-24
MD5: 39d8aabac4963098040bd8d53939496b SHA-1: cafb4b8e927f1f387b170c31ce9ed77ba982fd91 SHA-256: da911dbae8b2165ab0d0bdd797b2f0dc5f5c74455b857b164ba2b0344338c1ea
122 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and uses \objupdate to force activation, indicating an attempt to execute embedded content. The critical heuristic 'EXTRACTED_FILE_STATIC_TRIAGE' signals shellcode API strings and a potential URL, suggesting the embedded object is a downloader. The presence of an embedded OLE object strongly implies this file was delivered as a spearphishing attachment.

Heuristics 4

  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
    • https://bit.ly/�/$In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0005078a.bin rtf-objdata-decoded RTF \objdata at offset 0x5078A 1268 bytes
SHA-256: 9e6cbbf77cd697833a414ab2c9c37bb235b8071c145b328086bdf16a3f573427
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered URL(s): https://bit.ly/�/$ Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_URLDOWNLOAD, SC_PEB_ACCESS Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, URLDownloadToFileA, CreateProcessA, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.