Malicious RTF — malware analysis report

Static analysis result for SHA-256 dde06476192019a4…

MALICIOUS

RTF

230.4 KB Created: 2020-01-14 12:02:00
MD5: 543d584c15a9f76be24757f02bca13e3 SHA-1: 643c06d6c6a60e73579c8906e5b27d68030e339e SHA-256: dde06476192019a4fbbc52864b2c5d26fd4f6e2d517b85da19ae6cfecce591a2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains multiple OLE objects, with one specifically triggering an \objupdate directive. This suggests an attempt to automatically activate the embedded object, which is a common technique for delivering malicious payloads. While no scripts were extracted, the presence of OLE objects and the \objupdate heuristic strongly indicate a malicious intent, likely to exploit vulnerabilities or trick the user into executing code. The SHA256 hash is included as a primary identifier.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008990.bin
4c22d8d352f9764630710a971d3d4e1ee6157f024b75fc53b99a68552a59509b		 rtf-objdata-decoded RTF \objdata at offset 0x8990 15892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.