Malicious RTF — malware analysis report

Static analysis result for SHA-256 bdb659a9348c9e53…

MALICIOUS

RTF

32.0 KB First seen: 2018-09-04
MD5: c7db6472a259b0a46cd9e91978ce37ea SHA-1: 20d67ce1a0c4710fd4ce73de3cb8dde22aa36220 SHA-256: bdb659a9348c9e53676e0c1f6d9bdac811df7e33282bb93b061a75a794f18dd0
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an OLE object with an objdata stream, which is a common technique for embedding malicious content. The presence of SC_STR_MSHTA and RTF_OBJUPDATE heuristics strongly suggests that the document attempts to leverage mshta.exe to execute a payload. The embedded OLE object likely contains a script or executable designed to be launched by mshta.exe.

Heuristics 4

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • Reference to mshta.exe high SC_STR_MSHTA
    Reference to mshta.exe
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003b.bin rtf-objdata-decoded RTF \objdata at offset 0x3B 7962 bytes
SHA-256: 8a32c20a55a8564b57c4b68282d3bf090428d880b84968357de14e1847711ac8

Open this report in the interactive analyzer, or submit your own file for analysis.