Malicious RTF — malware analysis report

Static analysis result for SHA-256 bf9db7daafde49d8…

MALICIOUS

RTF

3.8 KB First seen: 2020-05-25
MD5: 01b2b06e11d6b72f54db011509035fdd SHA-1: 38711dc754d6e2d02554339876cddea664c19088 SHA-256: bf9db7daafde49d8cdea593a6a805e28fb8279ea9497ef0362738520bb67be58
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. This technique is commonly used to execute embedded malicious code, likely leading to a second-stage payload. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007a.bin rtf-objdata-decoded RTF \objdata at offset 0x7A 1858 bytes
SHA-256: 856452d2ae8406fe491badedad309a55f0d811f4117f88ce9e2ff29269359c0d

Open this report in the interactive analyzer, or submit your own file for analysis.