Malicious RTF — malware analysis report

Static analysis result for SHA-256 dd1ee0b0756258f8…

MALICIOUS

RTF

210.8 KB First seen: 2020-05-25
MD5: da629c51b4704cb84d35f505551a0157 SHA-1: 597c8814e54bea41526ab5c616fc75c5b0ecd364 SHA-256: dd1ee0b0756258f8b1aee5b2ce52395c1e8f5187ed11a27b7079c9d58519edf3
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing embedded OLE objects, indicated by RTF_OBJDATA and RTF_OBJUPDATE heuristics. The RTF_OBJAUTLINK heuristic suggests that these objects are automatically linked and activated upon opening, which is a common technique for exploiting client execution vulnerabilities. The embedded OLE object data itself is likely a payload or a loader for one.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000015d1.bin rtf-objdata-decoded RTF \objdata at offset 0x15D1 63965 bytes
SHA-256: ba5d9fc9475cb167f4abf625c206e2c958772bc9099d0f07f80eeda6a4d67d62