Malicious RTF — malware analysis report

Static analysis result for SHA-256 171616a1aa1c9d4a…

MALICIOUS

RTF

242.8 KB First seen: 2019-11-20
MD5: 716e1c56df81d9c29162f22f541e1cd5 SHA-1: 51d593b07b9836bb2b185bf1504219f2d1591744 SHA-256: 171616a1aa1c9d4a72d01d465c565b459b71a51cbbf6fd8eeed2ef0253ce2186
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to exploit OLE object activation for code execution. The embedded object data is likely a payload that is triggered upon opening the document. No specific family could be identified.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000006c.bin rtf-objdata-decoded RTF \objdata at offset 0x6C 78311 bytes
SHA-256: 72a5e5e8140683c32fb1f0b5f4fdc24038ed2145cd3ad3c8c233d72e5d1e4014

Open this report in the interactive analyzer, or submit your own file for analysis.