Malicious RTF — malware analysis report

Static analysis result for SHA-256 43622526694b40ba…

MALICIOUS

RTF

430.3 KB Authoring application: Msftedit 5.41.21.2510 First seen: 2022-07-08
MD5: 543bb103b8ad231ca53f6c1eb369c094 SHA-1: 415ce2db3957294d73fa832ed844940735120bae SHA-256: 43622526694b40bad5fde8971f7937a22b8e6f4012dbd39cd4746429e056c609
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE objects, with one specifically triggered by \objupdate, indicating an attempt to exploit OLE vulnerabilities. The document body, though truncated, discusses federal information security projects and password changes, likely serving as a lure. The presence of OLE objects suggests the file is designed to embed and execute malicious code upon opening.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00031438.bin
6c66a83d308fb61d8984bc1e877560920194f8ac52701799915b8f5acdfaee0f		 rtf-objdata-decoded RTF \objdata at offset 0x31438 112380 bytes
objdata_01_off00068256.bin
624cd8895a4ecc5a0a871cb6215c2b19f4fae3b522107541fa9df8c8983ecb35		 rtf-objdata-decoded RTF \objdata at offset 0x68256 6847 bytes
objdata_02_off00068270.bin
05ba095ac605422898d063511280e25730e5e1dd91478e3cd20e32a7ee2beec8		 rtf-objdata-decoded RTF \objdata at offset 0x68270 6843 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.