Malicious RTF — malware analysis report

Static analysis result for SHA-256 f715a0c96c174c70…

MALICIOUS

RTF

1.49 MB Created: 2019-09-17 13:59:00
MD5: cd25efd4705dd6f03ee2cd61fc6524de SHA-1: 115928f8ca795c6390b37a10463fecea1e9de85a SHA-256: f715a0c96c174c70bfc2d8b335c9bc0757ff880a73fd6e4562e4663d8a203188
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file contains embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the file is designed to exploit vulnerabilities associated with OLE object handling, likely to execute embedded code or download additional payloads. The presence of an embedded URL, though benign-looking, is suspicious in this context. The exact nature of the payload is unclear due to the lack of script content and obfuscated document body.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2{\8\h\h

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00161217.bin
bfba0168fca40faea9877ec3f1644d146da869de4a117cf5d77b5af34648bcf9		 rtf-objdata-decoded RTF \objdata at offset 0x161217 1435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.