Malicious RTF — malware analysis report

Static analysis result for SHA-256 b40f24b5b4c7a4c8…

MALICIOUS

RTF

2.1 KB First seen: 2019-06-27
MD5: 43c176d0126136171404b08a14965dbc SHA-1: 701e5326dca8240d497cdb266a65a91fc88cf4ea SHA-256: b40f24b5b4c7a4c8fda0827cf2f75ffc2cdd50061dbf374e690d3790993b2365
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an OLE object with embedded data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be automatically activated upon opening the document, which is a common technique for executing embedded malware. ClamAV detection further confirms its malicious nature, identifying it as Rtf.Dropper.Agent-6977563-0, likely a dropper.

Heuristics 3

  • ClamAV: Rtf.Dropper.Agent-6977563-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-6977563-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000085.bin rtf-objdata-decoded RTF \objdata at offset 0x85 932 bytes
SHA-256: fd9ddb76609bb2b405ca22e362b8e00eb853f588d06d6ec23eaef575a7732575

Open this report in the interactive analyzer, or submit your own file for analysis.