Malicious RTF — malware analysis report

Static analysis result for SHA-256 babc60d43781c5f7…

MALICIOUS

RTF

5.2 KB First seen: 2020-06-01
MD5: 7ed8759a29e6584e0dc245b5c6216171 SHA-1: 085ae47f0a31f5171c30feb8cc515fa8a015f246 SHA-256: babc60d43781c5f7e415e2354cf32a6a24badc96b971a3617714e5dd2d4a14de
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an OLE object with an \objupdate directive, which is a strong indicator of exploitation for client execution. The embedded OLE object data is likely a payload designed to be activated automatically upon opening the document. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000ac.bin rtf-objdata-decoded RTF \objdata at offset 0xAC 2373 bytes
SHA-256: 094c19b3c52deecbf55cd64c4bfdf871c8c9de62693aa029cd5721827ddbd04c