Malicious RTF — malware analysis report

Static analysis result for SHA-256 3fb4cecab39de808…

MALICIOUS

RTF

3.5 KB First seen: 2019-08-04
MD5: 9fbcfe645282669e8825a84680c2011c SHA-1: e4b44f8ae32973a1d2d2ba7ce50c152d584d8281 SHA-256: 3fb4cecab39de80896b61c958f8648f7872d72e4ad5872a40648dda9f98ec3f3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be activated automatically, likely leading to the execution of embedded code. This points towards an exploitation attempt for client execution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000009b.bin rtf-objdata-decoded RTF \objdata at offset 0x9B 1684 bytes
SHA-256: 63ea25d850d574e800cf587618f87e547fc9fec83ba9ea2d58cc177a8b745ca4

Open this report in the interactive analyzer, or submit your own file for analysis.