Malicious RTF — malware analysis report

Static analysis result for SHA-256 393d1c642d011de3…

MALICIOUS

RTF

10.7 KB First seen: 2023-01-19
MD5: 41e446aba92a8ab5c8ef1b7342229c85 SHA-1: f0be323b62cb707d6c2fc997eaee997d610a8131 SHA-256: 393d1c642d011de3ce1fb95f51ed38908dacbb87c54bbf6040b5feacdf32d723
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses \objupdate to force activation, indicating an attempt to execute embedded content. While no specific document body or script content was provided for analysis, the presence of OLE objects strongly suggests a malicious payload delivery mechanism. The extracted objdata artifact is a key indicator of the embedded malicious component.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001e62.bin
8bff15c7009c11c97b1eb32d94473c46a8f69e6eca49b003a3bc4928debb65e8		 rtf-objdata-decoded RTF \objdata at offset 0x1E62 1528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.