Malicious RTF — malware analysis report

Static analysis result for SHA-256 4df9ee84917a49f1…

MALICIOUS

RTF

9.3 KB Authoring application: Riched20 10.0.18362 First seen: 2021-05-29
MD5: 1eb7a107f09baa8667da6ae37b2ec40e SHA-1: ced894e59bc739003ad587e9c8f24cb3a4710ee2 SHA-256: 4df9ee84917a49f1f17d8ac31ea37ad0134f56c85a2b6b3eb9aa8d170040c91b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains embedded OLE objects, specifically a package object, which is a common technique for delivering malicious payloads. The presence of these objects indicates an attempt to exploit vulnerabilities or execute arbitrary code upon opening the document. Further analysis would be required to determine the exact nature of the payload.

Heuristics 3

  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000f8.bin rtf-objdata-decoded RTF \objdata at offset 0xF8 767 bytes
SHA-256: e7aeb86148e4ac51af4c77e09e555d4c1eaeee2793e91673ed5982d10ba14131

Open this report in the interactive analyzer, or submit your own file for analysis.