Malicious RTF — malware analysis report

Static analysis result for SHA-256 ad63e97851550643…

MALICIOUS

RTF

491.6 KB Created: 2019-01-07 23:54:00
MD5: a495530aa56d36ddc71eb70b40caa270 SHA-1: 2a3d11e7875227f016863b0735946cd3d2ce92d4 SHA-256: ad63e9785155064378a11e92aabda84a7aac389806babcb5b51ec7898398dc4f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains multiple OLE objects, with specific heuristics indicating the use of \objdata and \objupdate, suggesting an attempt to trigger OLE activation. The presence of a Package object class further supports the likelihood of embedded executable content. This indicates a delivery mechanism designed to exploit OLE vulnerabilities to execute a payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b2c.bin
76b24cd37c7871b64c2c3af2951e03816c03933dc3296aac690464c2bc015e6e		 rtf-objdata-decoded RTF \objdata at offset 0xB2C 46638 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.