Malicious RTF — malware analysis report

Static analysis result for SHA-256 ef632bb8c0cf42c9…

MALICIOUS

RTF

12.4 KB First seen: 2020-09-15
MD5: 5c6c145a212bec9d17d3a818b25d3e5a SHA-1: ff533e49612b938497a1cdb96c841b366dbc2a38 SHA-256: ef632bb8c0cf42c95f5856ef63a5bbd7eb2ea45fde8cb54a3cc220c663587b3f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit a vulnerability related to OLE object activation. This technique is commonly used to achieve arbitrary code execution when the document is opened. The specific exploit is not detailed, but the heuristic firings strongly suggest exploitation.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000021cc.bin rtf-objdata-decoded RTF \objdata at offset 0x21CC 1955 bytes
SHA-256: ce4e6f3bdd0777e78538e3dc614acffdab0c5f9cdb5f182558c40a00e6f969da

Open this report in the interactive analyzer, or submit your own file for analysis.