Malicious RTF — malware analysis report

Static analysis result for SHA-256 084f59705fb0a988…

MALICIOUS

RTF

23.2 KB
MD5: 30e90b61102da9d9132f6ccbfd286b73 SHA-1: 949578725228909ffff575b8e2a7b397e6097585 SHA-256: 084f59705fb0a98883454b511a2939f6ed91e9c04b7a2d7f8cb13ec834ec5215
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to execute embedded content. The presence of the Ole10Native stream further supports this, suggesting the OLE object is a native executable or script. This pattern is commonly used to deliver secondary payloads, hence the high confidence in an exploitation for client execution attack pattern.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000173c.bin
75a299266f7c2b55862b64d0b247b6f76991b3a0819c922f4643b814e6b41a4e		 rtf-objdata-decoded RTF \objdata at offset 0x173C 4213 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.