Malicious RTF — malware analysis report

Static analysis result for SHA-256 c326c46d8ed301b1…

MALICIOUS

RTF

197.6 KB Created: 2020-02-10 07:22:00
MD5: 33c7b20a3cdd15c0b9ed6ef7241f87f4 SHA-1: 1487c62e7fbf83f0a5a90c43b374af54b4b9f98e SHA-256: c326c46d8ed301b1e2df3657685ad0d1ce14b6c1686f7debf2eff389b6b4abc2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF document contains multiple OLE objects, with one specifically triggering an \objupdate command. This suggests the file is designed to exploit OLE object activation to execute arbitrary code or load malicious content. The presence of embedded OLE object data, specifically decoded into objdata_00_off000088e2.bin, is the primary indicator of this malicious behavior.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000088e2.bin
b09cd46986d0001f1e58ca3f4922be861a66b587df713652f08b7a8209c68e67		 rtf-objdata-decoded RTF \objdata at offset 0x88E2 15892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.