Malicious RTF — malware analysis report

Static analysis result for SHA-256 4babb43e6c0f28ca…

MALICIOUS

RTF

477.7 KB Created: 2019-01-07 23:54:00
MD5: d0481f63bb2cd902e98421f4beb490b5 SHA-1: 8b690e7e77513ad4bcdea2bc9acb63dc99482301 SHA-256: 4babb43e6c0f28ca013aaeb420d41a0c260af5bd55c994a459bc2d3faedd77c4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE objects, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. The presence of RTF_OBJUPDATE and RTF_OBJCLASS_PACKAGE suggests that these embedded objects are designed to be activated, likely leading to the execution of embedded malicious content. The specific nature of the payload is not discernible from the static analysis alone, but the technique points towards a malicious OLE object delivery mechanism.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a71.bin
79fc833951a6fdc713f60773d32313fa223930201e6336d323a9ea978de70c01		 rtf-objdata-decoded RTF \objdata at offset 0xA71 35899 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.