Malicious RTF — malware analysis report

Static analysis result for SHA-256 e75132168e3ef05b…

MALICIOUS

RTF

1.51 MB Created: 2019-01-07 23:54:00
MD5: 3f962993574de94e014a77fd1b458977 SHA-1: dda6b74c5ea0b9de434140d0c898dc1dbdd93fcc SHA-256: e75132168e3ef05b0891a03cc233e7c74f166f1f1aa69fc57ccc5ef0fca182ee
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF file contains multiple OLE objects, with high-severity heuristics indicating that \objupdate forces OLE activation and that the object class is 'Package'. Significant amounts of hex-encoded data within \objdata sections suggest a hidden payload. The presence of these indicators points to an attack pattern focused on exploiting RTF and OLE object handling to execute embedded code.

Heuristics 5

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1108KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 14 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a85.bin
f25c57120ecb4b3a66d148257da18a1c4cea93c3253f7d74b3aead1b8bd75d27		 rtf-objdata-decoded RTF \objdata at offset 0xA85 54318 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.