Malicious RTF — malware analysis report

Static analysis result for SHA-256 2e450c0f1e8389bc…

MALICIOUS

RTF

22.7 KB First seen: 2023-05-08
MD5: 0efad3b94fa6bb52c515f7979966f841 SHA-1: aba13e3599a37855294dec72e788a39bb9f2709f SHA-256: 2e450c0f1e8389bcfdf9e71f21b7ccbdca0dce47f84093aaee1ddaa039f6a6da
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this OLE object is designed to be activated automatically, likely leading to the execution of embedded malicious code. The document body is heavily obfuscated and does not provide clear textual lures. No scripts were extracted from this sample.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007ce.bin
6eb61aec3f07da0017bb4745e784b120b70287e02d86839cc1a7debf816113fb		 rtf-objdata-decoded RTF \objdata at offset 0x7CE 4204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.