Malicious RTF — malware analysis report

Static analysis result for SHA-256 6eecf232a5c5f491…

MALICIOUS

RTF

87.2 KB First seen: 2019-09-30
MD5: ff446696a1af623f42bc9f0e7ac99704 SHA-1: e8b5caa527d7a3998008b833051f9c1f672763ba SHA-256: 6eecf232a5c5f491d23ae1f9451489d3cd3d6f8df6bad2eaf3f782ef44cabf47
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data that is configured to update and activate automatically. This suggests an attempt to exploit a vulnerability, likely for client-side execution of a secondary payload. While no scripts were directly extracted, the embedded OLE object is a common vector for malware delivery, often initiated via spearphishing.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00014e87.bin rtf-objdata-decoded RTF \objdata at offset 0x14E87 1800 bytes
SHA-256: 7e89cab18e5056dc17665483979f8becbc5feeb6623c74472a6fd803ad936397

Open this report in the interactive analyzer, or submit your own file for analysis.