Malicious RTF — malware analysis report

Static analysis result for SHA-256 f16d15b97a68b171…

MALICIOUS

RTF

852.5 KB Created: 2020-04-16 04:46:00
MD5: db37f78291bf846f23cf60299300b835 SHA-1: 4395d2e428a8585c93135e25adcd16cb30ff655a SHA-256: f16d15b97a68b1718ee3fa87baece8ab8ea4423bed1a87a4087894466370aa52
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the file is designed to exploit vulnerabilities associated with OLE object handling within RTF documents. While no scripts were extracted, the presence of embedded OLE objects and the RTF_OBJUPDATE heuristic strongly indicate a malicious intent to execute embedded code or exploit a vulnerability upon opening.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cab.bin
c17a7cdff080561e682732f7ccc0c9cdd0c3ddd6f90703ffdabf70182522a715		 rtf-objdata-decoded RTF \objdata at offset 0x2CAB 21563 bytes
objdata_01_off00013a52.bin
2f623328fe2803646b50c31b9707634dd459952d8aa474367212194c862cf443		 rtf-objdata-decoded RTF \objdata at offset 0x13A52 21563 bytes
objdata_02_off00024902.bin
e7442eeac83367d9d6ac0545501bbfb80b94cf15d8342a4e9377a1c31c0b16d6		 rtf-objdata-decoded RTF \objdata at offset 0x24902 21563 bytes
objdata_04_off00046662.bin
471fedcf1fe712e3ac3b3afdd3f8dd0445c81375f493f3c0d3171591dd0d3899		 rtf-objdata-decoded RTF \objdata at offset 0x46662 21563 bytes
objdata_05_off00057512.bin
934a3f26668b4edc89e0efbfa29b662f6214cdf6a968e51ed64da69d2b31a552		 rtf-objdata-decoded RTF \objdata at offset 0x57512 21563 bytes
objdata_06_off000683c2.bin
736bc8b54777a9834b32cabc4559ae72a07779681af8511212d97ba9986e8e77		 rtf-objdata-decoded RTF \objdata at offset 0x683C2 21563 bytes
objdata_07_off00079272.bin
8f131fb212ba06f95444345ae328de61609b461095c4554a0384b777c3ab8abf		 rtf-objdata-decoded RTF \objdata at offset 0x79272 21563 bytes
objdata_09_off0009afd2.bin
d398efd119e4dc4a88e915c4aaf7c952add470bdd165d9948c774de936e87120		 rtf-objdata-decoded RTF \objdata at offset 0x9AFD2 21563 bytes
objdata_10_off000abe82.bin
b6db4d62623046015a86d12773452cd48e2291f7b58034f637e4a3c70810802e		 rtf-objdata-decoded RTF \objdata at offset 0xABE82 21563 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.