Malicious RTF — malware analysis report

Static analysis result for SHA-256 17b640449aa90a91…

MALICIOUS

RTF

22.5 KB First seen: 2023-06-02
MD5: f4b2703a921facad2c48fdecca12ae21 SHA-1: 020a8ebfa0b76d556b782bca144e644ac30b0c74 SHA-256: 17b640449aa90a91d32537b3206b270952e61270442a74a43bfefbe8d1cb6275
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and a ".objupdate" directive, which strongly suggests it is designed to embed and automatically activate a malicious OLE object. This technique is commonly used to deliver secondary payloads, such as malware, by tricking the user into opening the document. No specific family could be identified from the available heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000111e.bin
3b6c3aa0bd15f07ebaea3a44eccb2d3a5d3edf858776f11ef9b2155ca76611c8		 rtf-objdata-decoded RTF \objdata at offset 0x111E 3656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.