Malicious RTF — malware analysis report

Static analysis result for SHA-256 eec9b14da6a2745f…

MALICIOUS

RTF

577.3 KB Created: 2020-04-14 22:43:00
MD5: 54f778369ad36cb51d021c58168473e4 SHA-1: cc0010c2fa3e2e36e927df9e3cb067cf2a3fca5c SHA-256: eec9b14da6a2745f089361002429d13b044d66dedf944e951b39f9d243ae3df9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF document contains multiple OLE objects, with heuristics indicating that \objupdate forces OLE activation and a package object class is present. This suggests the file is designed to exploit OLE object handling to execute malicious code. No document body or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002601.bin
c30953b855ea7588a1682571928807b6a0fff34b75bb525a09847cff1024c726		 rtf-objdata-decoded RTF \objdata at offset 0x2601 50235 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.