Malicious RTF — malware analysis report

Static analysis result for SHA-256 254f4b6fa822ccaa…

MALICIOUS

RTF

26.1 KB First seen: 2023-05-10
MD5: 41e6396e3fb7c2ee5676acd85978f671 SHA-1: 1a91df92e658d64528138ff06983010b3258ff53 SHA-256: 254f4b6fa822ccaaedbd58d35706fe01b39b3b2b07de1c7eccf00119290dcf2d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF file contains OLE object data that is automatically linked and updated, indicating an attempt to execute embedded content upon opening. The presence of `RTF_OBJDATA`, `RTF_OBJAUTLINK`, and `RTF_OBJUPDATE` heuristics strongly suggests a malicious OLE object is embedded. While no specific script was extracted, the OLE object is the primary mechanism for delivering a secondary payload, likely a downloader or exploit.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014d5.bin
6f6839cc742ef1953777e0cc62fd682919a38ad558fdf33976ea493d59f9be5a		 rtf-objdata-decoded RTF \objdata at offset 0x14D5 4194 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.