Malicious RTF — malware analysis report

Static analysis result for SHA-256 207bebd66954793e…

MALICIOUS

RTF

864.7 KB Created: 2020-04-21 07:54:00
MD5: 9bce83105949254fdffa042dc3861540 SHA-1: 43d930ddf0af21abde85d14d70c689599b8954ad SHA-256: 207bebd66954793e7fe9e930c4a5e3a6c373115a283c55a83f1da7497b62bbb8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.002 Component Object Model Hijacking T1204.002 Malicious File

The RTF document contains multiple OLE objects, with one specifically triggered by \objupdate, indicating an attempt to exploit OLE object activation. The presence of numerous \objdata sections suggests embedded content designed to be executed. While no specific exploit or payload was directly identified, the structure strongly points to a malicious OLE object execution attempt.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002caa.bin
d84d8fc743cf324f491326995dcbb5cbc2657a695ff3535f02ff0d589f4b32fb		 rtf-objdata-decoded RTF \objdata at offset 0x2CAA 22075 bytes
objdata_01_off00013e5b.bin
aed714a5e5957d1152dc7b08d5e031dfb8bc77be40884c4e40ff7874b4344ea3		 rtf-objdata-decoded RTF \objdata at offset 0x13E5B 22075 bytes
objdata_02_off00025117.bin
94e98a99f96a5b857f1d5daa75743d459f470a08460a52b85d92501564184777		 rtf-objdata-decoded RTF \objdata at offset 0x25117 22075 bytes
objdata_03_off000363d3.bin
506b8d05a4e8abf0157cbc850717e638e2048c96bb359faa6097afd7e71d52e6		 rtf-objdata-decoded RTF \objdata at offset 0x363D3 22075 bytes
objdata_04_off0004768f.bin
cc7d4d764b951e2a5d3dde2dcdb165ca99c28c7b75d1356127b2bfdb9d86129f		 rtf-objdata-decoded RTF \objdata at offset 0x4768F 22075 bytes
objdata_05_off0005894b.bin
8540d87f66e2b5434041a9d0a95a59d21138827c5e88791cb75d954b461508b2		 rtf-objdata-decoded RTF \objdata at offset 0x5894B 22075 bytes
objdata_06_off00069c07.bin
a7e8c634fb1f7497f3163424af54f817eb398e031cbaaa826e06532788de19fd		 rtf-objdata-decoded RTF \objdata at offset 0x69C07 22075 bytes
objdata_07_off0007aec3.bin
e510ae66fbbe815d60868b5756dff3b63ae554f8d4e0b7b13ba2ea80ecd7f001		 rtf-objdata-decoded RTF \objdata at offset 0x7AEC3 22075 bytes
objdata_08_off0008c17f.bin
55acbd5206fa579fb820fd1b359f1f240d1c5d6712363523be3cc5473bad8792		 rtf-objdata-decoded RTF \objdata at offset 0x8C17F 22075 bytes
objdata_09_off0009d43b.bin
90d0dba4b0beb73ab6ce913216ffef6d05522ce5eed908d9d9c24bc8d72318a3		 rtf-objdata-decoded RTF \objdata at offset 0x9D43B 22075 bytes
objdata_10_off000ae6f7.bin
c43d4480aaf30b95d64afd255cae3124b139d3d3d249b622579e44a21b0c85b2		 rtf-objdata-decoded RTF \objdata at offset 0xAE6F7 22075 bytes
objdata_11_off000bf9b3.bin
2b642ec1f892dca1e3814f26ca375ded77216bb5a599c2ee10890dc3f34cecc6		 rtf-objdata-decoded RTF \objdata at offset 0xBF9B3 22075 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.