Malicious RTF — malware analysis report

Static analysis result for SHA-256 652d0cdc85db18f6…

MALICIOUS

RTF

173.3 KB First seen: 2019-01-20
MD5: 0b56bcfc80e7c6e0cd09708d9484f380 SHA-1: ab949d075bdb9be6e5fbfec588660547fbf855a9 SHA-256: 652d0cdc85db18f6ce7189ba90128ad58162bd039b0343338a5097ecb0035f77
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object handling for code execution. The presence of embedded OLE object data suggests a malicious payload is being delivered. Without further analysis of the OLE object, the specific family remains unknown.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00009558.bin rtf-objdata-decoded RTF \objdata at offset 0x9558 21673 bytes
SHA-256: d2831bcfb34b70e95bbe2bdf593e3b64e41e3925ccde63301b17f7b6532bac35

Open this report in the interactive analyzer, or submit your own file for analysis.