Malicious RTF — malware analysis report

Static analysis result for SHA-256 27e101f7b8cadae7…

MALICIOUS

RTF

18.6 KB
MD5: 10ff23e162ef490c25a0d216c6773934 SHA-1: 951e409972eb621d8ae31c3c9fae71235f0b2cb4 SHA-256: 27e101f7b8cadae7bd94b09bc7bea82c10b4c28d121c3d8aed4764dad6960883
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA and RTF_OLE10NATIVE_STREAM heuristics. The RTF_OBJUPDATE heuristic suggests that these objects are designed to be automatically activated upon opening the document. This mechanism is commonly used to exploit vulnerabilities or deliver malicious content, such as executables or scripts, to the victim's system. The lack of readable document body text or extracted scripts prevents a more detailed analysis of the payload's intent.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000746.bin
be740f2339c8c3ba93d33cd3d42c5c76e4319142dac9c02fd13a14f43f6a192e		 rtf-objdata-decoded RTF \objdata at offset 0x746 3688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.