Malicious RTF — malware analysis report

Static analysis result for SHA-256 e121adbe2f7872a0…

MALICIOUS

RTF

4.1 KB First seen: 2020-09-04
MD5: 4034d69fc802814ce3ba23f6ec647cf6 SHA-1: f8204ef84b2122b0344f9aac03d2644c7a9d4373 SHA-256: e121adbe2f7872a0c8db01e8815d3808842d7183cd07ceea39b233851ef596f3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an OLE object with ".objupdate" directive, which forces OLE activation. This indicates an attempt to exploit a vulnerability within the RTF parser to execute arbitrary code. No specific family could be identified, and no network IOCs were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007b.bin rtf-objdata-decoded RTF \objdata at offset 0x7B 1796 bytes
SHA-256: b6d08a70aa2f3c4358190135faa4ae4e175383a53271712cb3a5bea91df81614

Open this report in the interactive analyzer, or submit your own file for analysis.