Malicious RTF — malware analysis report

Static analysis result for SHA-256 5b6b7091336852b3…

MALICIOUS

RTF

2.19 MB Created: 2019-09-17 13:59:00
MD5: dbfe5fc379d33bf87b6c4ce204abc71f SHA-1: 38a90b80232700165e818c71a52b04a17fe90c41 SHA-256: 5b6b7091336852b3387dd61a8f5582b8cd37c588a97097b065fd880a87d26fc5
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and is configured to activate these objects upon opening, indicating an attempt to exploit vulnerabilities for code execution. The presence of RTF_OBJUPDATE heuristic strongly suggests this mechanism. While no specific malware family is identified, the technique points towards a malicious document designed to deliver a payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2{

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0021e01e.bin
f5a74ea6600bb99ed3d4256ad43066356196cfd8b50048492e5c649f20c69de9		 rtf-objdata-decoded RTF \objdata at offset 0x21E01E 1435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.