Malicious RTF — malware analysis report

Static analysis result for SHA-256 b88470b464f4e30f…

MALICIOUS

RTF

12.4 KB First seen: 2020-09-07
MD5: 986ae1a18f9d417d8ae4a3850050afad SHA-1: f625b01815231861fe52d4673a33ff72bd8b3d3f SHA-256: b88470b464f4e30f1a6c70f5eae38084b13016b6f8c5a78bfeaa72dc5c6d12fb
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation for code execution. The presence of these indicators strongly suggests a malicious document designed to exploit vulnerabilities. While no specific family is identified, the attack pattern points towards a dropper or exploit document.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000021ec.bin rtf-objdata-decoded RTF \objdata at offset 0x21EC 1771 bytes
SHA-256: 5844eb6d8a729a2c1ceb794dfbef8575f4eee7c5ee20468f51f17f90afbb5bdd

Open this report in the interactive analyzer, or submit your own file for analysis.