Malicious RTF — malware analysis report

Static analysis result for SHA-256 2e82c78c5872ac01…

MALICIOUS

RTF

431.4 KB First seen: 2022-12-02
MD5: 6177199fa3e032ef9f515588780a2198 SHA-1: da3c03e42f406f25ac502fae01806a196849e7a6 SHA-256: 2e82c78c5872ac01ec1840ca0bf59b0505858c269d5a637a530d8327f39edb4c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF file contains OLE object data and triggers OLE activation via \objupdate, indicating an attempt to execute embedded content. The lack of readable document body text or scripts prevents a more detailed analysis of the payload's intent. The primary IOC is the file's SHA256 hash.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ab0.bin
5fc50f4562f96e0711764cb3a2987da1aa7616f2364e7cb05499d6d498f59555		 rtf-objdata-decoded RTF \objdata at offset 0xAB0 1947 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.