Malicious RTF — malware analysis report

Static analysis result for SHA-256 ea7131b9fdd8023e…

MALICIOUS

RTF

229.6 KB Created: 2020-01-14 12:02:00
MD5: d1632c26ac7aa664f9609f2ddcecb148 SHA-1: d458682909da945cc87af7fba42fad94e43fbab6 SHA-256: ea7131b9fdd8023e814e33bf74745d12d1874ea9398d601bc0617182e9baab3a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE objects, with one specifically triggering an \objupdate command. This suggests an attempt to automatically activate embedded content, which is a common technique for delivering malicious payloads. While no scripts were extracted, the presence of OLE objects and the \objupdate heuristic strongly indicate a malicious intent to exploit embedded object functionality. The document body is minimal and does not provide further context.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000898b.bin
0ba49bb8939804515d76b5cbf92f7485717c727d642f3b2ae00c8476028eb679		 rtf-objdata-decoded RTF \objdata at offset 0x898B 15892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.