Malicious RTF — malware analysis report

Static analysis result for SHA-256 27cad0ac61af88e7…

MALICIOUS

RTF

20.3 KB First seen: 2018-01-08
MD5: 2efbaf82fc752ace3693044beec1d6e7 SHA-1: 2f822ef8b4ae3d98d279bc70e0a640b79f4578b8 SHA-256: 27cad0ac61af88e7654ca99dff45b93015e46c447826ca699c27d0d18c1dab48
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and is configured to automatically update and activate these objects. This indicates an attempt to exploit vulnerabilities or execute embedded code upon opening. The presence of RTF_OBJAUTLINK and RTF_OBJUPDATE heuristics strongly suggests exploitation for client execution. As no document body or script content was available, the specific payload and delivery vector remain unknown, hence the family is classified as unknown.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000553.bin rtf-objdata-decoded RTF \objdata at offset 0x553 2996 bytes
SHA-256: 1ba7af1667725f10222a1bc82abf40de727144b36cce6bef379665d4a8ecb813