Malicious RTF — malware analysis report

Static analysis result for SHA-256 15d42286af74442d…

MALICIOUS

RTF

180.6 KB
MD5: cc097b6aad3b272f162fa79e5ade5279 SHA-1: 268044a33f682cbb6d270f70ffa187d2b3f616df SHA-256: 15d42286af74442dce1e55482fcc14125cb61eade3591d8b745d0a59ad2eea0d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. While no specific malware family is identified, the technique suggests a malicious document designed to deliver a payload upon opening. The lack of document body text or scripts limits further analysis of the specific lure or payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000006c4.bin
e685f976cb34c6eba261f0de867acb3326bf2df3508cb657b3d71d09e78283c8		 rtf-objdata-decoded RTF \objdata at offset 0x6C4 2168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.