Malicious RTF — malware analysis report

Static analysis result for SHA-256 42ca985c41cadddb…

MALICIOUS

RTF

3.5 KB First seen: 2023-10-24
MD5: f0cf2b01858e7b3f391b420e16861870 SHA-1: 6f5d7c0a4631be3bd4b11647fa8d0a8f732fbbad SHA-256: 42ca985c41cadddbac89ac8c1df79c42541e195afb4fad7aedfb6379161252ea
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit a vulnerability associated with embedded OLE objects. This technique is commonly used to deliver secondary payloads, such as malware downloaders or exploit kits. The specific exploit targeted is not identifiable from the provided heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000094.bin
b95e818df90f7ff3b7b9d817bdf7fbada246b5ca8d5d81af116977b607b88e7c		 rtf-objdata-decoded RTF \objdata at offset 0x94 1694 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.