Malicious RTF — malware analysis report

Static analysis result for SHA-256 f0f8a88604193051…

MALICIOUS

RTF

687.8 KB Created: 2019-07-16 06:04:00 First seen: 2020-01-07
MD5: 9170eb9eba5241da290a83b75bff4968 SHA-1: 6b214908b5dd938c90cd08f0ef6fd625c33874c1 SHA-256: f0f8a8860419305185c4a113edcd763e5501d7cdc4df59dce40605108adb8bba
122 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with one specifically identified as a Package object. The presence of \objupdate directives strongly suggests that these objects are designed to be activated automatically upon opening the document, leading to the execution of embedded malicious code. This indicates an exploitation attempt targeting client execution, likely delivered via spearphishing.

Heuristics 5

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000298e.bin rtf-objdata-decoded RTF \objdata at offset 0x298E 288146 bytes
SHA-256: d9da9be0265994e9e11fe9217e53dff535f46c4bdcff9933b55b75abfb0f4015
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off0008f513.bin rtf-objdata-decoded RTF \objdata at offset 0x8F513 21563 bytes
SHA-256: e03b84cd60be7e8854bc09d56ed49e71525434f1f4b7f0c81a01885868609eb8
objdata_02_off0009b282.bin rtf-objdata-decoded RTF \objdata at offset 0x9B282 21563 bytes
SHA-256: 6f59162db72e8b6c5d953d6df8bcb7d8d8d3dd35b6a285fdb83126590489197e

Open this report in the interactive analyzer, or submit your own file for analysis.