Malicious RTF — malware analysis report

Static analysis result for SHA-256 4070607b1c6de0c5…

MALICIOUS

RTF

20.9 KB First seen: 2023-06-12
MD5: e8caac8d865f4a94f766c5935fcf669f SHA-1: 4a200b108393ce25901893d45c807860823e4320 SHA-256: 4070607b1c6de0c546ed8c15e64c9499de4d2a7f59ba7c132f588887b13567f0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic at offset 0xC72 suggests that the embedded OLE object is designed to be automatically activated upon opening the document. This mechanism is commonly used to deliver and execute malicious payloads, likely through embedded scripts or executables within the OLE object. No specific family could be identified, and the document body was unreadable.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c92.bin
b25ee037a2637ca5598a5ae86721fcb0bb68110d0961a0b9b5950db843d8df76		 rtf-objdata-decoded RTF \objdata at offset 0xC92 3651 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.