Malicious RTF — malware analysis report

Static analysis result for SHA-256 3f129ba9c6d1d424…

MALICIOUS

RTF

229.8 KB Created: 2020-01-14 12:02:00
MD5: a384b5c6dfd6bbd07527aa55a80d9c6c SHA-1: ff209602e965e8e2ab2de8c6e45dadfe9e2959e2 SHA-256: 3f129ba9c6d1d4245ea3397e605878240b5d5125eaf9c9fad60292e3669be93e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE objects, with one specifically triggered by \objupdate, indicating an attempt to automatically activate embedded content. While the document body is minimal and contains no actionable text, the presence of embedded OLE objects strongly suggests a malicious intent, likely to exploit user interaction or vulnerabilities within the OLE object handling. No scripts were extracted, and the embedded URL is confirmed benign, limiting further analysis of the payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008989.bin
984d022f94f280d2563d19d8a82966662a9caf6068064f770cabeb2f61790665		 rtf-objdata-decoded RTF \objdata at offset 0x8989 15892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.