Malicious RTF — malware analysis report

Static analysis result for SHA-256 2a80e7804960d16a…

MALICIOUS

RTF

26.7 KB First seen: 2023-03-28
MD5: 44c187f1c2c4bc9560b31d63abea250f SHA-1: 90c34b2b7f0326f35a49ec41416198ea1049d1ba SHA-256: 2a80e7804960d16a1b89bd8e46ba60cc697a396926edba4d3ca0ea0653b90fdd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing OLE object data and an \objupdate directive, which are strong indicators of an exploit attempt. The heuristics suggest that the embedded OLE object is intended to be activated, likely to trigger a vulnerability and execute malicious code. No specific family could be identified due to the lack of further behavioral or payload indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000017b5.bin
15bb75119a73c398b5290b4416b778aaf2531eae2f3392bfa8737a5367c7e0ba		 rtf-objdata-decoded RTF \objdata at offset 0x17B5 4202 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.