Malicious RTF — malware analysis report

Static analysis result for SHA-256 07a74ba9028da2e0…

MALICIOUS

RTF

183.5 KB First seen: 2024-07-06
MD5: cc0b1bf6acbc5bf74687b41539a2f5f2 SHA-1: d00f6f1e88dbf44138b6567663e04fc1a891c897 SHA-256: 07a74ba9028da2e0dff7ffb089b57d62443d7799e6d0cf8383e3e04959aad3b8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation for malicious purposes. This suggests a spearphishing attachment attack vector. No specific malware family could be identified, and the document body was truncated, limiting further analysis.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001070.bin
147e8c03e27acf9a29dc0ea8a3128fe4aa1f191206e11431fd8e804384fc5d96		 rtf-objdata-decoded RTF \objdata at offset 0x1070 3670 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.