Malicious RTF — malware analysis report

Static analysis result for SHA-256 f6b0278bd6489caf…

MALICIOUS

RTF

3.9 KB First seen: 2020-07-24
MD5: 991a436fcefc859d3cfca88a78e7dc00 SHA-1: c1f9ef66a9f17bf5631cac001079070a972972e6 SHA-256: f6b0278bd6489cafc610f100bd094c814132d7b414ec19c224b6ac6f5b9bc6ae
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic at offset 0xF80 suggests that this object is designed to be automatically activated upon opening the document, leading to the execution of arbitrary code. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a0.bin rtf-objdata-decoded RTF \objdata at offset 0xA0 1682 bytes
SHA-256: c0a793df68578fc01dd509ae849cddc7aea243be87c2a93123158e994e9fc9f2

Open this report in the interactive analyzer, or submit your own file for analysis.