Malicious RTF — malware analysis report

Static analysis result for SHA-256 75405e28d7608079…

MALICIOUS

RTF

1.8 KB Authoring application: Riched20 6.3.9600 First seen: 2020-12-25
MD5: 6e2942f93daf0fe497082f9915e69520 SHA-1: 496eb4a219cdd7170111a7d76973f627a595c2aa SHA-256: 75405e28d760807934fbe2b220eba2b3f0b037d8d3e216c92a7f914cf78c6bda
120 Risk Score

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000e8.bin rtf-objdata-decoded RTF \objdata at offset 0xE8 197 bytes
SHA-256: 7e2c4cc22b96d56190126d485cb9d51d4611b96de8ece8f1e5944d8e66047638
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd.exe /c calc.exe

Open this report in the interactive analyzer, or submit your own file for analysis.