Malicious RTF — malware analysis report

Static analysis result for SHA-256 f8428c4f921f6283…

MALICIOUS

RTF

18.3 KB First seen: 2020-07-24
MD5: 44ccb2ad625c5ff99ca763f8d6437615 SHA-1: d3a6700953b1c62492f7e64ced7aa1604ee76b89 SHA-256: f8428c4f921f6283f241d5243a75cf8bf6fcd3c815bc7ecfb5cc62d0a0d9dec7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and uses an \objupdate directive, which strongly indicates an attempt to exploit vulnerabilities associated with OLE object activation. This technique is commonly used to execute arbitrary code or download malicious payloads. No specific family could be identified due to the lack of further indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001aa3.bin rtf-objdata-decoded RTF \objdata at offset 0x1AA3 1563 bytes
SHA-256: 9e68f70418fc00ec4684013ae367c58f3b678c67686c319eb614548491d07fe9

Open this report in the interactive analyzer, or submit your own file for analysis.