Malicious RTF — malware analysis report

Static analysis result for SHA-256 e63f387576728aa5…

MALICIOUS

RTF

3.8 KB First seen: 2020-09-15
MD5: 6a79db3ac8cf5da30b852f7f7df42f74 SHA-1: fe86fe21e2cb13b590f00b8965b3c524b398ccb5 SHA-256: e63f387576728aa5b18cc7a2514cb3b45df942d0610af58ff38a72a7b3945b1f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data which is flagged as suspicious and potentially contains shellcode. The \objupdate directive indicates an attempt to force OLE activation, suggesting an exploit is being leveraged for client execution. No document body text or scripts were available for further analysis.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000003b4.bin rtf-objdata-decoded RTF \objdata at offset 0x3B4 1431 bytes
SHA-256: ed779516293849656b8b3d4326d1edad0ccd69d8093f7b05948e30f873dbf444
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL