Malicious RTF — malware analysis report

Static analysis result for SHA-256 0e661ada5da087ab…

MALICIOUS

RTF

3.7 KB First seen: 2020-06-01
MD5: 74c91fcb83cae297667f1efbe83bc90a SHA-1: b648a21ae6dd2310827d99ccf5e42d47b271b50a SHA-256: 0e661ada5da087abc84084c3342272535d3c10902c83be9eee6eea9f5f3eabbe
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object handling for code execution. The embedded OLE object data is likely a payload designed to be activated upon opening the document.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a1.bin rtf-objdata-decoded RTF \objdata at offset 0xA1 1808 bytes
SHA-256: 371a7eb379de1fa6b9d62da128e22d86263e32c0b701aa61932c20a15ab70813

Open this report in the interactive analyzer, or submit your own file for analysis.