Malicious RTF — malware analysis report

Static analysis result for SHA-256 2fe94e1f55e1dd77…

MALICIOUS

RTF

44.7 KB First seen: 2019-09-30
MD5: e5482db82751c7e6b8268339d4bcaf9f SHA-1: 67d2c96ef164ff0145fc38effd2d4738041c8ea5 SHA-256: 2fe94e1f55e1dd7763e44a8647f727664b9184b1727f9e82545e64eebb38fccb
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and triggers automatic updates, indicating it's designed to embed and execute malicious content. The heuristics strongly suggest exploitation of OLE object activation for client execution. While no specific family is identified, the technique is commonly used in spearphishing attachments to deliver further payloads.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000050b0.bin rtf-objdata-decoded RTF \objdata at offset 0x50B0 2641 bytes
SHA-256: 5d4129e472c3dc48c057949053930955516453d9b559668b5a5ca363c6f85bc2

Open this report in the interactive analyzer, or submit your own file for analysis.