Malicious RTF — malware analysis report

Static analysis result for SHA-256 25f7dafe9c2733f9…

MALICIOUS

RTF

24.6 KB First seen: 2023-05-25
MD5: 1c963374f3c33e9136fb1bafc156938f SHA-1: a014b8afa92f6cbd9db87817d27800b47a0576f1 SHA-256: 25f7dafe9c2733f96e4015ff4ee3cd63ac7716611b87c6d50b37d00df620ab20
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: DLL Side-Loading

The RTF document contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be automatically activated upon opening the document. The presence of the ole10NatIve stream further confirms the embedding of an OLE object, which is likely malicious and intended to execute code. The embedded artifact 'objdata_00_off00000f4b.bin' is the most direct indicator of the malicious content.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f4b.bin
868c5fdd282b6c706c34432289ab567bac48751a8962ffabf8b9348adeb0fb45		 rtf-objdata-decoded RTF \objdata at offset 0xF4B 4169 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.