Malicious RTF — malware analysis report

Static analysis result for SHA-256 ca3a2e275d5e64a6…

MALICIOUS

RTF

4.4 KB First seen: 2020-02-04
MD5: bc814f40b1979cedb9db1ff53b79c072 SHA-1: f7bb037a2652c2da641deda83bc78e1b9fa57c56 SHA-256: ca3a2e275d5e64a6c5326bf6e34e52a5166b815612dde6f1753bdc8e48a0a19a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to exploit a vulnerability in OLE object activation to execute arbitrary code. The repetitive numeric string in the document body does not provide further context for the attack's objective.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000070.bin rtf-objdata-decoded RTF \objdata at offset 0x70 2173 bytes
SHA-256: 9d4d51a9623c46dea5585fc3c1f6d54570eae3842acb2eceb92c0c855ac7a28d

Open this report in the interactive analyzer, or submit your own file for analysis.