Malicious RTF — malware analysis report

Static analysis result for SHA-256 0148aaa1bc49312c…

MALICIOUS

RTF

28.1 KB First seen: 2023-04-21
MD5: 0817ef065eab1d86f70a24c0100a62e2 SHA-1: 382996b5049aa9dc672795d8dfa765697b1c852f SHA-256: 0148aaa1bc49312cada5408720ed9f547044dbed42cac01f0fea834bda8b5eac
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and a \objupdate directive, indicating an attempt to automatically execute embedded content when the document is opened. The specific payload is not discernible from the provided heuristics and doc body, but the technique strongly suggests a malicious intent to exploit the user or system.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c8b.bin
203771910f4151b58727b6b3d0c365f4be167d412b8b7aa81d28c4d014335d46		 rtf-objdata-decoded RTF \objdata at offset 0x1C8B 4168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.