Malicious RTF — malware analysis report

Static analysis result for SHA-256 d2a883b3e4676b33…

MALICIOUS

RTF

13.8 KB First seen: 2021-10-04
MD5: 0ace3ca2dec7eab359b3a98ed7932af6 SHA-1: fdae3464524cc1ec4ebc41f51012d1fc4f53fa4e SHA-256: d2a883b3e4676b33e24b5d5c457ff255a74bae3f169e0f4c78307ac8824e69a8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit vulnerabilities for code execution. The embedded OLE object, objdata_00_off00001463.bin, is likely a payload or a loader for one. Given the nature of RTF exploits, it is highly probable that this document was delivered via spearphishing.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001463.bin rtf-objdata-decoded RTF \objdata at offset 0x1463 1752 bytes
SHA-256: 4e545790ffb03bcb4320e70d766b6bcb094384db8fc2815c1f55312e9804f24a

Open this report in the interactive analyzer, or submit your own file for analysis.