Malicious RTF — malware analysis report

Static analysis result for SHA-256 cabba3de7403b635…

MALICIOUS

RTF

5.9 KB First seen: 2020-09-15
MD5: f282d2c4aaa2046ecdf1cb3e26dd0805 SHA-1: b40afedc007a0abc515a90ec2ebfd1387667d638 SHA-256: cabba3de7403b6350f94bd740ad8f809a298b73a36c28383cea2d4e292ceec45
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to exploit a vulnerability in OLE object handling to achieve code execution. The specific exploit is not detailed, but the presence of these elements strongly suggests an attempt to run malicious code upon opening.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000464.bin rtf-objdata-decoded RTF \objdata at offset 0x464 2194 bytes
SHA-256: 5aad6a9d19fc28dd688f04ddf074fb10330db47d676bcfabea30d8ab8955164e

Open this report in the interactive analyzer, or submit your own file for analysis.