Malicious RTF — malware analysis report

Static analysis result for SHA-256 e8e52e433d67088c…

MALICIOUS

RTF

427.9 KB Created: 2019-01-07 23:54:00
MD5: debf2f1e560cbb955561cac3bc18cda7 SHA-1: d52b5edbadd87da8fc2c4415b22918ae78359ba6 SHA-256: e8e52e433d67088cf5334f85c1b64e7b8fbaa2ceccb82b1db6e0c80cd79641f2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE objects, with heuristics indicating the use of \objupdate to force activation. This suggests the file is designed to exploit vulnerabilities through embedded objects, likely for initial access. The specific OLE object class identified as 'Package' further supports this. No scripts were extracted from this sample.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a58.bin
208f8c5d41a7cb3bd04e437b2d70193059820917eef4b3d934d3a3d3e62c75dd		 rtf-objdata-decoded RTF \objdata at offset 0xA58 35899 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.