Malicious RTF — malware analysis report

Static analysis result for SHA-256 d8f27b4b1983b127…

MALICIOUS

RTF

4.8 KB First seen: 2020-09-15
MD5: f45f4e19dbe2dfd2031eea283e02937a SHA-1: 14523d2b33e682245854d6de329a17b1cbaf3e8f SHA-256: d8f27b4b1983b127ad715ecddd05a6e2cad543a240902d3977b2c5847745028d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to exploit OLE object handling vulnerabilities for code execution. The embedded OLE object is likely a payload or exploit. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000002ba.bin rtf-objdata-decoded RTF \objdata at offset 0x2BA 2038 bytes
SHA-256: 92b74f4d3d456e0352594108fba7b0b580cb8e794d32ec8a728134f6af94ba6a