Malicious RTF — malware analysis report

Static analysis result for SHA-256 a60c7244206b635d…

MALICIOUS

RTF

425.8 KB Created: 2020-04-14 22:43:00
MD5: 75443f12b0b74d4cb581909b83318f8d SHA-1: b00ea06519671b73004db6dfbb4d7b86ba1aea62 SHA-256: a60c7244206b635d18c244028c1b1dc4c07da716e0ff78529692bc667f117195
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple embedded OLE objects, with one specifically identified as a Package object. The presence of \objupdate and \objdata directives strongly suggests that these embedded objects are designed to be activated, likely leading to the execution of a malicious payload. ClamAV detection as Win.Malware.Agent-7767047-0 further supports the malicious nature of the file.

Heuristics 5

  • ClamAV: Win.Malware.Agent-7767047-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Agent-7767047-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002601.bin
0eda7c0d1ae79f76b48fa90991d24c07404c2b890ead3c62a64c29de3613856b		 rtf-objdata-decoded RTF \objdata at offset 0x2601 34875 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.