Malicious RTF — malware analysis report

Static analysis result for SHA-256 2ddc172d950d1b07…

MALICIOUS

RTF

6.7 KB First seen: 2018-01-23
MD5: f5ef446170b546fb27a1dd3ac9309402 SHA-1: 559ae5ee09e51a60dc905dc94894d8047536623c SHA-256: 2ddc172d950d1b0761fa12b61a7a38ab292c252d3789d09ac3771fe5c386e931
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data with high-confidence heuristics indicating automatic linking and update, suggesting an attempt to exploit OLE activation. This mechanism is commonly used to download and execute remote payloads, likely via a URL Moniker embedded within the OLE object.

Heuristics 4

  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003f.bin rtf-objdata-decoded RTF \objdata at offset 0x3F 3286 bytes
SHA-256: 11b2b9b479fe465e7a2d58fdcb4717e6787ebaeedb74c37d7be21538d84b0ee8

Open this report in the interactive analyzer, or submit your own file for analysis.