Malicious RTF — malware analysis report

Static analysis result for SHA-256 ce1877f750c84e3f…

MALICIOUS

RTF

9.8 KB First seen: 2020-09-07
MD5: add4699c31b849434e08c39a31980474 SHA-1: e4d95ee225882112ec05234c1f6834cd7313ee6e SHA-256: ce1877f750c84e3f6bdf664a8a69ff6f54f75a70563f1ef5c3bb309b5404fb55
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an OLE object that is forced to activate via the \objupdate directive. This indicates an attempt to exploit OLE object activation to execute embedded malicious content, likely leading to further stages of infection. No specific family could be identified.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001933.bin rtf-objdata-decoded RTF \objdata at offset 0x1933 1585 bytes
SHA-256: b9fe34b0afa7537424742f163e35ccc1cf08219af4d312c06f1eed708374d742

Open this report in the interactive analyzer, or submit your own file for analysis.