Malicious RTF — malware analysis report

Static analysis result for SHA-256 1e8821534b2be2de…

MALICIOUS

RTF

127.0 KB First seen: 2024-06-21
MD5: 02859e41f804fe0bc8e74d60223b8ea6 SHA-1: 7e6caaf6ee7eefbf8ccefced5e72e5b20aac181d SHA-256: 1e8821534b2be2de1cd51dc1dab3fa4b0e5df2fb7c0d5e15c9e92ff8459dbd90
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF file contains OLE object data and uses an \objupdate directive, indicating an attempt to automatically activate embedded objects. This is a common technique for delivering malicious payloads. While the document body is unreadable, the heuristics strongly suggest an exploit targeting OLE activation. No specific family could be identified.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000015a7.bin
65cea5b331bd5ca2f098e80eaef9888dce0fe9ff1d21ebc4fa35c6787aa1849d		 rtf-objdata-decoded RTF \objdata at offset 0x15A7 4171 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.