Malicious RTF — malware analysis report

Static analysis result for SHA-256 37a1dca413bedca8…

MALICIOUS

RTF

376.9 KB Created: 2020-04-30 19:56:00
MD5: 92a594ec794f3c920c73a29a56480397 SHA-1: ff9f3377a7df70b38293382dd69d316a110780a9 SHA-256: 37a1dca413bedca841a9a633c04c77df208a7dcef64a26c799d01078805f8774
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The RTF document contains multiple OLE objects, and a high-severity heuristic indicates that \objupdate forces OLE activation. This suggests the file is designed to exploit OLE object handling to execute embedded code. No specific malware family is identifiable from the available evidence.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002ce4.bin
674b8f5654aa3c130909d859918aea18b499a3289fa326a5463353b29d7f89da		 rtf-objdata-decoded RTF \objdata at offset 0x2CE4 25147 bytes
objdata_01_off000139cb.bin
c86ff54c32d12a1bf5c6c819c305f5a1d2a33cccbd50b2a442864b43f2031a57		 rtf-objdata-decoded RTF \objdata at offset 0x139CB 25147 bytes
objdata_02_off000246b2.bin
3cab1249ae6cd0cd1c68373cb74373a4e56a6f071c182519e5d4af7c66b8ec34		 rtf-objdata-decoded RTF \objdata at offset 0x246B2 25147 bytes
objdata_03_off00035399.bin
0be427515989f1adf742fc68ced2bae13a7e79d35d22847b7c88e6169c994569		 rtf-objdata-decoded RTF \objdata at offset 0x35399 25147 bytes
objdata_04_off00046080.bin
f3b84a61ae6794eaf3375069226efe6dae1edbe7f6785c4413fda39d30139c84		 rtf-objdata-decoded RTF \objdata at offset 0x46080 25147 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.