Malicious RTF — malware analysis report

Static analysis result for SHA-256 2022d9cc42ed2838…

MALICIOUS

RTF

1.24 MB
MD5: 4fc5ba9426e9191aab4e694e7e703e13 SHA-1: b5ebaf2f5af220fe1b1de5433c2e39ff16b0c0b4 SHA-256: 2022d9cc42ed2838daa442561107c29297bddb88b36222345c10b39164e66819
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple embedded OLE objects, with one specifically triggered by an \objupdate command. This suggests an attempt to exploit a vulnerability within the RTF parsing or OLE object handling to execute arbitrary code. No document body text or scripts were extracted, limiting further analysis of the specific lure or payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000cd5.bin
3b41bd3814d4f020b214213c74b0bc1d36aa94b1cc0394461b8daeee9a1333e4		 rtf-objdata-decoded RTF \objdata at offset 0xCD5 9361 bytes
objdata_01_off00005b20.bin
e4d277874d9b18c12a63a3ef5684febe5889d08550bc2357b9e03cb4855dff42		 rtf-objdata-decoded RTF \objdata at offset 0x5B20 276 bytes
objdata_02_off0000637a.bin
08b25582384c65e73391d1c44a9e21c0397701fb25e6083ec03f3926fc794e2a		 rtf-objdata-decoded RTF \objdata at offset 0x637A 142846 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.