Malicious RTF — malware analysis report

Static analysis result for SHA-256 3f092421ded47e51…

MALICIOUS

RTF

24.5 KB First seen: 2023-05-29
MD5: 2649a0cdd385220ace4898e1f3f5b377 SHA-1: 8bd1c77e03f04300e62db57763baeaae05dc7d53 SHA-256: 3f092421ded47e51764275f6267cd92ee66063d3d4b8695a4b917a1c59fbf69a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic specifically points to the ".objupdate" directive, which forces OLE activation. This suggests the file is designed to exploit this mechanism to execute arbitrary code or download a secondary payload. No document body or script content was available for further analysis, limiting the ability to identify a specific family or more detailed IOCs.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f86.bin
875f60c12055dd529cccea34dd241b32ebe169a35310838fba75c5c07b0dc243		 rtf-objdata-decoded RTF \objdata at offset 0xF86 4182 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.