Malicious RTF — malware analysis report

Static analysis result for SHA-256 42ff1c08294a9e36…

MALICIOUS

RTF

3.7 KB First seen: 2022-12-14
MD5: ef2f225c5273e9a7829d67605f748da9 SHA-1: 865936a8a0d7b24e826509e92266e516af9429f7 SHA-256: 42ff1c08294a9e36a66672c9c7cd5d2831d911a62de8b38ac99adfe5c0577f22
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. This technique is commonly used to deliver and execute malicious payloads. No specific family is identifiable from the provided evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007c.bin
e57a8a7df86fd6c06579bb3e84f1e733640a4dcf9b8ec516d4f2427f6471305e		 rtf-objdata-decoded RTF \objdata at offset 0x7C 1786 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.