Malicious RTF — malware analysis report

Static analysis result for SHA-256 3a2796077f24eba1…

MALICIOUS

RTF

9.6 KB
MD5: d5c72a79881e7245bcb3fe135d4143f5 SHA-1: 038a7d4880f4fe455b011706a21691c8d21c3cbd SHA-256: 3a2796077f24eba13a3b53d898a7d0f0a5ec3f4f244736c0e1fb1453693a4f35
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object handling vulnerabilities. This suggests the file is designed to execute embedded code or trigger malicious actions upon opening. The specific exploit targeted is unclear without further analysis, but the presence of these indicators strongly points to a malicious document designed for code execution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000013ce.bin
739063f8126e63f3129cca49d7a6e9898f53a077eb7976438413749f3673aa26		 rtf-objdata-decoded RTF \objdata at offset 0x13CE 1733 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.