Malicious RTF — malware analysis report

Static analysis result for SHA-256 c4e1ded25fa25990…

MALICIOUS

RTF

1.12 MB Created: 2020-03-31 22:37:00
MD5: ffec41d115f9044845a3cb7864780e50 SHA-1: cdd2ff74fa4c3bef3af63c825a91bcc8379b9b17 SHA-256: c4e1ded25fa259903d88be7a0947c199c2e511ad279b9dce90472f78880501cd
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, with a specific heuristic indicating that \objupdate forces OLE activation. This suggests the document is designed to exploit OLE object handling to trigger malicious code execution. The presence of an embedded URL, though benign, is noted. No scripts were extracted, and the document body is minimal, limiting further analysis of the specific payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000071a2.bin
e08f3e9735ac3fd67894ec51742decb1ee71caab63e3af5b3b0c4805eaee3e7a		 rtf-objdata-decoded RTF \objdata at offset 0x71A2 118042 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.