Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ecf2a5d13534afc7…

MALICIOUS

RTF / .DOC

1.75 MB Created: 2019-09-17 13:59:00
MD5: f9fc5f39a5ebf0647ab97c487d9d087c SHA-1: a391d2a453856b155a8c4432165f7140cb79245c SHA-256: ecf2a5d13534afc781e7e44390455c11300273bec65323271ad0614f31ee4a23
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects that are triggered for activation via \objupdate, indicating an attempt to exploit vulnerabilities. The presence of OLE object data and embedded OLE objects strongly suggests a malicious intent to execute code upon opening. While no specific script was extracted, the heuristics point towards a classic OLE exploitation technique often used for initial access.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2{\7\J\J\J\J\J\J\J

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0019d61a.bin
df4023ede3f155ec6cf2987d0071a2b1419d5fdff739291c27a85cbd29776a79		 rtf-objdata-decoded RTF \objdata at offset 0x19D61A 1435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.