Malicious RTF — malware analysis report

Static analysis result for SHA-256 4c34d35aa6bfb512…

MALICIOUS

RTF

99.6 KB Created: 2020-03-26 23:23:00
MD5: 2a6d6ea570bf94f27a057e2181247e6e SHA-1: 602c808c644bd96cbf7f6d4423d22fd1bff8b538 SHA-256: 4c34d35aa6bfb51235832f2f653d4d95ac18f8050d7b9894a3810492341c5ed2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF document contains an embedded OLE object that is triggered by \objupdate, indicating an attempt to execute malicious content. The document body impersonates the PTIN Verification Team, warning tax preparers of potential identity theft and threatening PTIN closure if an attached document is not reviewed, serving as a social engineering lure. No scripts were extracted from this sample.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1440\margr1440\margt1440\margb1440\gutter0\ltrsect

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002d2d.bin
e8b73d392b657717e93dce91336196111ddbc958f7e2c2d3537d4d6bf22834b8		 rtf-objdata-decoded RTF \objdata at offset 0x2D2D 18491 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.