Malicious RTF — malware analysis report

Static analysis result for SHA-256 2663db7631452ad0…

MALICIOUS

RTF

25.0 KB First seen: 2023-05-08
MD5: 28fa212e19560b1bf74a78ad921c5862 SHA-1: 0416575a601fe394007619523e10844f57d44e82 SHA-256: 2663db7631452ad059733c8a586210b19e9f497d21c01fac9e386e195ff225ea
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. The presence of embedded OLE object data suggests a malicious payload is likely being delivered. The exact nature of the payload is unclear due to the obfuscated nature of the OLE data.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000118e.bin
a7d9bcc54207e54fec4899adb77c9fad1ec5ce39318a000498bacfc4820bb9e6		 rtf-objdata-decoded RTF \objdata at offset 0x118E 4159 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.