Malicious RTF — malware analysis report

Static analysis result for SHA-256 3fbf1bb815a7051a…

MALICIOUS

RTF

4.9 KB First seen: 2019-05-31
MD5: cab6d7b8379393e82df2e82cdc132ebb SHA-1: 3335d212aab60020ce768a709036ff13b64fb9aa SHA-256: 3fbf1bb815a7051a9bd3c486c5aeda59734bb9d9bb85377939ae89faf57844e6
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic at offset 0x13A7 suggests that this object is designed to be activated, likely triggering an exploit to execute arbitrary code. The specific exploit and its target are not identifiable from the provided evidence, leading to an unknown family classification.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000154.bin rtf-objdata-decoded RTF \objdata at offset 0x154 2170 bytes
SHA-256: 3d1bf9397d27f71d6a502b4b16b1082f3b4db77e2f05f4a96c3128092937346a

Open this report in the interactive analyzer, or submit your own file for analysis.