Malicious RTF — malware analysis report

Static analysis result for SHA-256 40c0e71256c3e1eb…

MALICIOUS

RTF

6.6 KB
MD5: 791be7fec353b0ff21ebc258697f0082 SHA-1: 19aae5a8b58268cbfe4fd1324698d15fd483192f SHA-256: 40c0e71256c3e1eb592155bcd9952f7e5b8cd9f025f5c910cb3a7a643357d81e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for malicious purposes. The presence of embedded OLE object data suggests the document is designed to drop and execute a secondary payload. While no specific script was extracted, the heuristics strongly point towards a malicious OLE object being embedded and triggered upon opening.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000544.bin
84cfc17bfb63660d994318ac3494b7f6819e1c588f86785e213291f21bf45d27		 rtf-objdata-decoded RTF \objdata at offset 0x544 1985 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.