Malicious RTF — malware analysis report

Static analysis result for SHA-256 0629d97cc68123b1…

MALICIOUS

RTF

3.1 KB First seen: 2020-04-06
MD5: 31130e4446163973da2fdadcdbbe2d7e SHA-1: e96404293bd1b7683d1fb2aac86597403c713fee SHA-256: 0629d97cc68123b12ecb3d72d88754fb0287344f5f7cf0efc81ea7366be07cff
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to automatically activate and execute embedded objects. This technique is commonly used to deliver secondary payloads or achieve arbitrary code execution. No document body or script content was available for further analysis.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000006c.bin rtf-objdata-decoded RTF \objdata at offset 0x6C 1515 bytes
SHA-256: 8a3605d1ef0c6f68e1cfa71560984895547b3f600a971091501202d25e085ff0

Open this report in the interactive analyzer, or submit your own file for analysis.