Malicious RTF — malware analysis report

Static analysis result for SHA-256 7f9073554d846b86…

MALICIOUS

RTF

1.9 KB First seen: 2019-10-30
MD5: f2141f1eee3cd339133847206b335af7 SHA-1: 1ce3c2e9cea6de5be4dd650256ff50f5f696c081 SHA-256: 7f9073554d846b863e8f6d82765fcb9cbb0a991b8ab4a9798ea4a73783435df5
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is configured to automatically activate, which is a common technique for executing embedded exploits or payloads. Without further analysis of the OLE object's content, the specific family and detailed attack vector remain unknown.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000036.bin rtf-objdata-decoded RTF \objdata at offset 0x36 924 bytes
SHA-256: 4d86a7f786f88e2fef1704f22a8407d764e37bc13453d824a91e804274a27e0a

Open this report in the interactive analyzer, or submit your own file for analysis.