Malicious RTF — malware analysis report

Static analysis result for SHA-256 4c149655adceaa96…

MALICIOUS

RTF

4.6 KB First seen: 2020-07-02
MD5: 484039e154d11831f9a9eb0b9cb4f455 SHA-1: df9a10f48b2d3a7cbd42dbc9840a29848ce00923 SHA-256: 4c149655adceaa96847cd97cc6eab1c08e311f2ad5674252361b9940e955318c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is configured to automatically activate upon opening, which is a common technique for executing embedded exploits or payloads. The document body consists of repeating numerical strings, offering no contextual clues, and no scripts were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000025c.bin rtf-objdata-decoded RTF \objdata at offset 0x25C 1995 bytes
SHA-256: 14629787593027476b76d3b96f9d252709a3f5e74966ca8e5467bfe52f5b7be5