MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. A suspicious shellcode candidate region was also identified within an embedded OLE object. These factors strongly suggest the file is designed to execute arbitrary code upon opening, likely delivered as a spearphishing attachment.
Heuristics 3
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000118c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x118C | 41746 bytes |
SHA-256: e0917f352d80d708a00753fea09aede11891d8e4f31d2a938c3bbb922be901f9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.