Malicious RTF — malware analysis report

Static analysis result for SHA-256 17ffef3cd4b4fd0b…

MALICIOUS

RTF

77.3 KB First seen: 2019-02-20
MD5: 501442f180745c8042ba72567afa6389 SHA-1: c0069f11547e0a727f4be2663694b7e8a28d2715 SHA-256: 17ffef3cd4b4fd0b36fea01e4015d694f187f07892b3a11da33ae7b8d737c68d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to trigger OLE object activation. This mechanism is commonly used to execute embedded code, likely for downloading and running a secondary malicious payload. The specific payload and delivery vector are not discernible from the provided evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00007e86.bin rtf-objdata-decoded RTF \objdata at offset 0x7E86 4152 bytes
SHA-256: 1cbe55ce3b15d40abddcfe829cfe02ac74e62630904edd8d224916c2b307c821

Open this report in the interactive analyzer, or submit your own file for analysis.