Malicious RTF — malware analysis report

Static analysis result for SHA-256 06dd39ea9ea0386a…

MALICIOUS

RTF

24.1 KB
MD5: 0f23b87813a5334decf2f11636db675d SHA-1: f212862dc87fea0d91a6df5ae8fa522e544660fd SHA-256: 06dd39ea9ea0386acad12b00b5b8c1c9ba953e0ed546b86cd4b64c45bbb7f3fe
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to execute embedded content. The Ole10Native stream further confirms the presence of an embedded OLE object. While the exact payload is not directly visible, these indicators strongly suggest exploitation for client execution, likely delivered via spearphishing.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c64.bin
60c5f3278c0748ae058855c49acb8caa3a568f06dbb78d8db1fd6c1f82a76e03		 rtf-objdata-decoded RTF \objdata at offset 0x1C64 3682 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.