Malicious RTF — malware analysis report

Static analysis result for SHA-256 e447237ad90a895e…

MALICIOUS

RTF

1.73 MB Created: 2016-12-27 11:27:00 First seen: 2020-12-25
MD5: 62deab0e5d61d6bf9e0ba83d9e1d7e2b SHA-1: e173c2acab38fd7d50aa65e49e36f21629cc25f9 SHA-256: e447237ad90a895e09d9b27080033f0fdf9619b5846cb96e8950196586f9362b
122 Risk Score

Heuristics 5

  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1527KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.submarineinstitute.com/userfiles/Image/2016-shine-dome-gold-sponsor-hero.png In RTF body
    • http://www.submarineinstitute.com/userfiles/Image/2016-shine-dome-gold-sponsor-hero.png}}{In RTF body
    • http://www.submarineinstitute.com/SRA.html?fp=61In RTF body
    • http://www.submarineinstitute.com/MacTaggart-Scott.html?fp=61In RTF body
    • http://www.boathousebythelake.com.au/cocktail-events/In RTF body
    • http://www.marisepayne.com/In RTF body
    • http://www.submarineinstitute.com/Sonartech-Atlas.html?fp=61In RTF body
    • http://www.navy.gov.au/biography/commodore-peter-scottIn RTF body
    • http://www.submarineinstitute.com/CivMec.html?fp=61In RTF body
    • https://www.aspi.org.au/research/find-an-expert/andrew-daviesIn RTF body
    • http://www.submarineinstitute.com/defencesa.html?fp=61In RTF body
    • http://www.submarineinstitute.com/DMTC.html?fp=61In RTF body
    • http://moadoph.gov.au/collection/the-building/kings-hall/In RTF body
    • http://www.submarineinstitute.com/AECOM.html?fp=61In RTF body
    • http://www.submarineinstitute.com/PMB-Defence.html?fp=61In RTF body
    • http://collection.moadoph.gov.au/rooms/m513/In RTF body
    • http://www.submarineinstitute.com/JEDS.html?fp=61In RTF body
    • http://www.defence.gov.au/casg/Multimedia/Coles_Report_Final_22Nov12-9-7738.pdfIn RTF body
    • http://www.submarineinstitute.com/sponsorship-and-advertising.htmlIn RTF body
    • http://Ajilon.html?fp=61In RTF body
    • http://www.submarineinstitute.com/APCT.html?fp=61In RTF body
    • http://www.aph.gov.au/Senators_and_Members/Parliamentarian?MPID=HWQIn RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
    • https://www.google.com.au/maps/place/The+Boat+House+by+the+Lake/@-35.304531,149.150348,15z/data=%214m2%213m1%211s0x0:0x7b623178fecbba8b?sa=X&ved=0ahUKEwiKzM2ItOfNAhUINpQKHdqhALkQ_BIIeTAKIn RTF body
    • https://en.wikipedia.org/wiki/Tim_Barrett_%28admiral%29In RTF body
    • http://www.navy.mil/navydata/bios/navybio.asp?bioID=635In RTF body
    • https://en.wikipedia.org/wiki/Chris_UhlmannIn RTF body
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In RTF body
    • http://purl.org/dc/elements/1.1In RTF body
    • http://flex.apache.org/In RTF body
    • http://www.adobe.com/2006/flex/mx/internalIn RTF body
    • http://adobe.com/AS3/2006/builtinIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000032ef.bin rtf-objdata-decoded RTF \objdata at offset 0x32EF 8429 bytes
SHA-256: 2f2e8a8147d59e60ea67c7aed14eb19d69736569ad17129949d8d502dfeff3ea