MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The OOXML document utilizes an altChunk to import an external RTF file named 'Poland.rtf'. This RTF file contains OLE objects that are triggered for activation by the \objupdate directive. The presence of excessive hex data within these OLE objects, coupled with the RTF object data and embedded OLE object heuristics, strongly suggests that this mechanism is used to execute malicious code. The document body itself does not provide specific lures, but the technical indicators point to a classic OLE object exploitation technique.
Heuristics 6
-
altChunk imports embedded RTF (RTF injection) critical OOXML_ALTCHUNK_RTFDocument inlines an embedded RTF via an aFChunk relationship and a <w:altChunk> body element. This is the canonical RTF-injection wrapper used to smuggle RTF exploits (Equation Editor / URL Moniker / objdata) past DOCX-only scanners. Word opens the wrapper and executes the RTF inline. Recursing into the RTF for the exact exploit primitive.
-
\objupdate forces OLE activation high RTF_OBJUPDATE(in altChunk RTF word/Poland.rtf) RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX(in altChunk RTF word/Poland.rtf) RTF contains ~2815KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATA(in altChunk RTF word/Poland.rtf) RTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMB(in altChunk RTF word/Poland.rtf) RTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://opendope.org/xpaths
- http://opendope.org/conditions
- http://opendope.org/questions
- http://opendope.org/components
- http://opendope.org/SmartArt/DataHierarchy
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.openxmlformats.org/schemaLibrary/2006/main
- http://schemas.openxmlformats.org/drawingml/2006/chart
- http://schemas.openxmlformats.org/drawingml/2006/chartDrawing
- http://schemas.openxmlformats.org/drawingml/2006/diagram
- http://schemas.openxmlformats.org/drawingml/2006/picture
- http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing
- http://schemas.microsoft.com/office/drawing/2008/diagram
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/drawingml/2006/compatibility
- http://schemas.openxmlformats.org/drawingml/2006/lockedCanvas
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003a12.binc84ce93e7ba9ee9a528f213bbaf60135e41362b77cd2ff29f319335403b87bb3 |
rtf-objdata-decoded | RTF \objdata at offset 0x3A12 | 1420129 bytes |
objdata_01_off002c4127.bincfdb4a077c5f246e92e6322395cebc5a3dcf8a28c92ec8882aadb5231c9a8a69 |
rtf-objdata-decoded | RTF \objdata at offset 0x2C4127 | 584266 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.