MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. One of the extracted URLs, http://a.pomf.cat/adlwjt.exe, is suspicious and likely points to a malicious executable. The embedded objects are likely used to deliver and execute this payload, suggesting a spearphishing attachment attack vector.
Heuristics 5
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://a.pomf.cat/adlwjt.exe In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000028f4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28F4 | 32302 bytes |
SHA-256: 58b8842392244e8871552005d490e7cb0365a01e647fb2a370773d83f1ae55bd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_01_off00015007.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15007 | 32302 bytes |
SHA-256: 0bd3bc39ba0c6c4f42f8c05d485ab183acaa2c4cf636bf7913695ec49d70f872 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_02_off0002771a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2771A | 32302 bytes |
SHA-256: 2d11b4770afa2bcc5e1953dce2a8e1c48016acbe3ebed79b4481bba2a28608ee |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_03_off00039e2d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x39E2D | 32302 bytes |
SHA-256: f81a3fc8c8fe2529e2c7683b57e1f7b278fe2b231d1cd5e3d73abc119fb833dc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_04_off0004c540.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4C540 | 32302 bytes |
SHA-256: 3134b338c4143122f3e3488316388899c16340fb9edea827624299199993075a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_05_off0005ec53.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5EC53 | 32302 bytes |
SHA-256: b8e72280148fe785b594b336ec9e0202fc17e35f148e7f113867ecb0fdbf1d84 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_06_off00071366.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x71366 | 32302 bytes |
SHA-256: 3cb2851e7225de5d121347f80b004f6ebb7f689ba7b70b6b5389d5054830375c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_07_off00083a79.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x83A79 | 32302 bytes |
SHA-256: c50f6389b94f655b9e75c328bdb96b74cabe0160f6e32891e50c8987b55aeb38 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_08_off0009618c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9618C | 32302 bytes |
SHA-256: ae09d6db92f34546e2b9d6f1667be26877f37e4fcf731e6d33bf8a0c8fe15a10 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_09_off000a889f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA889F | 32302 bytes |
SHA-256: 2ad90fb50d1ca8d1002445a2ab0776af6583a72a11205ccc1aab6eab2a2beba2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.