Malicious RTF — malware analysis report

Static analysis result for SHA-256 b8954367c6cbeddc…

MALICIOUS

RTF

775.2 KB Created: 2019-01-07 23:54:00
MD5: 870b7627d804ecd0cffd20ac0204fcfb SHA-1: bc3c10d088ab9f06697f1d6fe6847cefbdea6520 SHA-256: b8954367c6cbeddcf7c616c48844ad23b109a5aeabce7212b0a3951a50de20d7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF file contains multiple OLE objects, with heuristics indicating the use of \objupdate to force activation and \objclass_package suggesting a package object. This strongly suggests the file is designed to exploit OLE object handling vulnerabilities to execute embedded code. No document body or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a67.bin
507dcdf4f8feea98921847e1ba648287ad8d62f33b5c53eb48edd176cdf75daf		 rtf-objdata-decoded RTF \objdata at offset 0xA67 32827 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.