Malicious RTF — malware analysis report

Static analysis result for SHA-256 e617ba1156d6c8d3…

MALICIOUS

RTF

59.2 KB Created: 2019-05-28 19:25:00 First seen: 2020-09-24
MD5: 6d7d69e897351f6af2399bfdcf00983a SHA-1: 4e0affb1011938b61ba4000ad57cf88016878b78 SHA-256: e617ba1156d6c8d3e724bb74ad436bbe4ec3da8e46bd156ad5cfbabfefa07b99
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. While the document body discusses Microsoft Corporation, it lacks any direct instructions or lures. The primary threat stems from the embedded OLE object, which is likely to trigger a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c01d.bin rtf-objdata-decoded RTF \objdata at offset 0xC01D 5254 bytes
SHA-256: 63105b55c326661eb0bde39292eed4d9b9b53a9df81dc717031e2f6b78176c2c

Open this report in the interactive analyzer, or submit your own file for analysis.