Malicious RTF — malware analysis report

Static analysis result for SHA-256 76ff1b80630bb2ef…

MALICIOUS

RTF

5.0 KB First seen: 2020-07-24
MD5: c722ad84a4d1036219a4142b37e6d627 SHA-1: 96eda620acf33ad56def3590f516bfebddf389a6 SHA-256: 76ff1b80630bb2ef18a11fe9ccaeac6bd3ff0f3cb28dd7990e67da09c9b1e0eb
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the file is designed to exploit OLE object handling to execute arbitrary code. No specific family could be identified, and no further IOCs were extracted.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000091.bin rtf-objdata-decoded RTF \objdata at offset 0x91 2244 bytes
SHA-256: f862378524111a51e0bca4049c06a6183f2f24872c3118c18cacfec2a9f11a5b

Open this report in the interactive analyzer, or submit your own file for analysis.