Malicious RTF — malware analysis report

Static analysis result for SHA-256 500f4f2ba1068a38…

MALICIOUS

RTF

4.2 KB First seen: 2020-05-25
MD5: dd2ba5ce85dd0ef4f7575fd7a04a2e3c SHA-1: b8d6fdc42b4788e95b7e1014a088a5953736f6f0 SHA-256: 500f4f2ba1068a385eef79eb40b392bf814fc73076cfa9997be4f0b93dfd52f1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to exploit a vulnerability related to OLE object activation. This mechanism allows for the execution of arbitrary code upon opening the document. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000008d.bin rtf-objdata-decoded RTF \objdata at offset 0x8D 1893 bytes
SHA-256: 29945421954bbd74a8896679d30accb33f9de715c5ae6699f6d4866ff7965e4d

Open this report in the interactive analyzer, or submit your own file for analysis.