Malicious RTF — malware analysis report

Static analysis result for SHA-256 34bb979b6def89f6…

MALICIOUS

RTF

561.9 KB First seen: 2019-05-16
MD5: 71dea822217fe99048469185e839bb89 SHA-1: 6ab6513b3f71f11a3d1212475b226ca263563df6 SHA-256: 34bb979b6def89f6d04572355e5748693afd2979b3bd3e0baaafbbb1bf4d2891
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object handling for code execution. The presence of embedded OLE object data suggests a malicious payload is being delivered. Without further analysis of the OLE object, the specific family remains unknown.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00009557.bin rtf-objdata-decoded RTF \objdata at offset 0x9557 19733 bytes
SHA-256: 65b8f26b8cd3b8a99b7a8724286c70c901a48fe046439eaaeb3188fe41285760

Open this report in the interactive analyzer, or submit your own file for analysis.