Malicious RTF — malware analysis report

Static analysis result for SHA-256 534269820e2fe560…

MALICIOUS

RTF

1.17 MB Created: 2019-09-17 13:59:00 First seen: 2020-12-25
MD5: 829efe0ddcaa45584c22fd1d7b7e914d SHA-1: 9830f2142f002ad87fed2e029ebfb37271922c3b SHA-256: 534269820e2fe56017982a04b9608a7ec61184b7b7865518a68906b5dd06a473
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects, with one object specifically triggering an update action that forces activation. This suggests the file is designed to exploit vulnerabilities or execute embedded code upon opening. The presence of an embedded URL, even if benign, indicates an attempt to interact with external resources. The obfuscated document body and lack of clear scripting prevent a more precise determination of the payload, but the overall structure points to a downloader or exploit delivery mechanism.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0011ef1c.bin rtf-objdata-decoded RTF \objdata at offset 0x11EF1C 1435 bytes
SHA-256: 292cc004bdc1fa4da19d2d694a0d16c320e3ed32f42a4c017ef274b6e5664783