Malicious RTF — malware analysis report

Static analysis result for SHA-256 335c827bdfb5dd17…

MALICIOUS

RTF

4.0 KB First seen: 2022-11-23
MD5: 33d69a3bf0b311280779e212db07e7b2 SHA-1: 46292f5dfe2f83bb0a795b733830387aecf1f414 SHA-256: 335c827bdfb5dd174bb4b9c6e8804a8cee229e29b90c3aebe6b567d72e22596b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be automatically activated upon opening, likely leading to the execution of malicious code. Without further script or body content, the exact payload and delivery mechanism remain unclear, but the structure points to a classic OLE object exploitation technique.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000076.bin
dbfd78fffd829335e334f3a2c3589ee4d8c2f72978feadbf7dbd8323948efd51		 rtf-objdata-decoded RTF \objdata at offset 0x76 1921 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.