MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The OOXML document contains an embedded RTF object via altChunk, which is then triggered for activation by an objupdate directive. This RTF object contains OLE object data and excessive hex data, indicating it is likely malicious. The presence of an embedded URL and the structure suggest the document is designed to exploit Office vulnerabilities to download and execute a secondary payload. The specific RTF file name 'word/Mali.rtf' and the presence of an unknown URL 'opendope.org/xpaths' are notable indicators.
Heuristics 6
-
altChunk imports embedded RTF (RTF injection) critical OOXML_ALTCHUNK_RTFDocument inlines an embedded RTF via an aFChunk relationship and a <w:altChunk> body element. This is the canonical RTF-injection wrapper used to smuggle RTF exploits (Equation Editor / URL Moniker / objdata) past DOCX-only scanners. Word opens the wrapper and executes the RTF inline. Recursing into the RTF for the exact exploit primitive.
-
\objupdate forces OLE activation high RTF_OBJUPDATE(in altChunk RTF word/Mali.rtf) RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX(in altChunk RTF word/Mali.rtf) RTF contains ~2817KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATA(in altChunk RTF word/Mali.rtf) RTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMB(in altChunk RTF word/Mali.rtf) RTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://opendope.org/xpaths
- http://opendope.org/conditions
- http://opendope.org/questions
- http://opendope.org/components
- http://opendope.org/SmartArt/DataHierarchy
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.openxmlformats.org/schemaLibrary/2006/main
- http://schemas.openxmlformats.org/drawingml/2006/chart
- http://schemas.openxmlformats.org/drawingml/2006/chartDrawing
- http://schemas.openxmlformats.org/drawingml/2006/diagram
- http://schemas.openxmlformats.org/drawingml/2006/picture
- http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing
- http://schemas.microsoft.com/office/drawing/2008/diagram
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/drawingml/2006/compatibility
- http://schemas.openxmlformats.org/drawingml/2006/lockedCanvas
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003a12.bin6fd893c636f5378c54e1d3db776c21fa5904a29d164196d8d67826e12ac3f1a2 |
rtf-objdata-decoded | RTF \objdata at offset 0x3A12 | 1420905 bytes |
objdata_01_off002c4737.bincfdb4a077c5f246e92e6322395cebc5a3dcf8a28c92ec8882aadb5231c9a8a69 |
rtf-objdata-decoded | RTF \objdata at offset 0x2C4737 | 584266 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.