Malicious RTF — malware analysis report

Static analysis result for SHA-256 f9ddc04378f1933a…

MALICIOUS

RTF

8.8 KB First seen: 2020-08-10
MD5: b64dfaec711043dee37fc7d4f39f9a33 SHA-1: 5f5d62fb96b9734e238d8bf08844f3a8b6165cf6 SHA-256: f9ddc04378f1933a94f82a3292731d65025f9956742bc3292157f9735823ef7f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and a \objupdate directive, indicating an attempt to exploit OLE activation for code execution. The embedded OLE object data is likely a payload designed to be triggered upon opening the document, potentially leading to further malicious activity.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000016cb.bin rtf-objdata-decoded RTF \objdata at offset 0x16CB 1402 bytes
SHA-256: 2c63cfd38900e11a6d1c950aef8b7d8303fc71cac7f7dbbb7b39da8d83c5a36c