Malicious RTF — malware analysis report

Static analysis result for SHA-256 28b30b53508e7d64…

MALICIOUS

RTF

299.9 KB First seen: 2019-12-09
MD5: 0250ff1dbc40d274866a86acc13660b9 SHA-1: 6c944d2bd044b5e7dfa0a2a51222766d7579e52b SHA-256: 28b30b53508e7d64128ce6b7d5d69e6da958e10c783c3400830bf98baa468f88
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an OLE object with ".objupdate" directive, indicating an attempt to trigger an exploit upon opening. The embedded OLE object is likely intended to execute malicious code, but the specific exploit and payload could not be determined from the available static analysis.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000e7.bin rtf-objdata-decoded RTF \objdata at offset 0xE7 94936 bytes
SHA-256: 1caca08b3788cc4bff18853b0a2769611ecc2e615c276753dcd8780ba94d4777

Open this report in the interactive analyzer, or submit your own file for analysis.