Malicious RTF — malware analysis report

Static analysis result for SHA-256 f06f75be48b22dfd…

MALICIOUS

RTF

13.5 KB First seen: 2018-01-08
MD5: 5153af0823636c837c04d41da7c5b34c SHA-1: 5227976e843cf3c91d254cfffd2f04cbb78e7de1 SHA-256: f06f75be48b22dfd48a196fec7af2d960a3998388386c43ca0e0e6ba9134087a
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to exploit vulnerabilities related to OLE object activation. This suggests the file is designed to execute arbitrary code upon opening, likely leading to a secondary payload.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000063.bin rtf-objdata-decoded RTF \objdata at offset 0x63 4246 bytes
SHA-256: 7f8f799d4b4dcc217187bda870e0160eb02b05832363909041bee94a091ffd0a

Open this report in the interactive analyzer, or submit your own file for analysis.