Malicious RTF — malware analysis report

Static analysis result for SHA-256 511bbf1a18b44660…

MALICIOUS

RTF

3.7 KB First seen: 2020-05-25
MD5: f2969cf867efb4479e6b31b5435cf904 SHA-1: a796b63281f7daa650222d7e9cde391cb1236ed5 SHA-256: 511bbf1a18b446609ec3a1a0ca9a4e73fc9b58afcba1c74b8d0ca8e8ed9b7f14
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to exploit a vulnerability related to OLE object activation for arbitrary code execution. The specific exploit mechanism is not detailed, but the presence of these elements strongly suggests a client-side execution attack. No further IOCs were extracted from the limited document body.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000c1.bin rtf-objdata-decoded RTF \objdata at offset 0xC1 1767 bytes
SHA-256: 0e7d3a1e1dabac08d08aec1b5c5af135934826f0753c22c353d59a7a213d07de

Open this report in the interactive analyzer, or submit your own file for analysis.