Malicious RTF — malware analysis report

Static analysis result for SHA-256 3d65a232db7493a0…

MALICIOUS

RTF

4.4 KB First seen: 2020-09-15
MD5: 15aa4c07809a1136143e1ff4019da257 SHA-1: 07635bc731657cf1968210ca46ffd8593ee1fee7 SHA-256: 3d65a232db7493a0b4374a54c4f90784a942ba7c5e3b2c7c2399999e22437505
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an OLE object with ".objupdate" directive, indicating an attempt to exploit a vulnerability for code execution. The presence of OLE object data further supports this. The specific exploit and payload are not discernible from the provided static analysis.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000004da.bin rtf-objdata-decoded RTF \objdata at offset 0x4DA 1583 bytes
SHA-256: 82e2e8d143aa17fbab72d6a7aa5f161e3d1c9aee262cc8bebab0b72ea3c9f474