Malicious RTF — malware analysis report

Static analysis result for SHA-256 4629ba2fd5e56009…

MALICIOUS

RTF

27.1 KB First seen: 2023-06-06
MD5: 7c4b689dca23188e3b088010add245ba SHA-1: fc885670d9b928e86c09151bef9eab5c490ad531 SHA-256: 4629ba2fd5e560099ecf3eb0e47fc621236aacaf90b08abb56976479435d1e11
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF file that contains embedded OLE object data. Heuristics indicate that \objupdate forces OLE activation, suggesting that the document is designed to exploit this mechanism to execute embedded code. The presence of OLE object data strongly implies an attempt to leverage this functionality for malicious purposes, likely to download and execute a further stage.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000019e1.bin
1cfdd163e5f6a8b6badbe5a24eca612fe30daebfdce5b2145beec69b02a97a60		 rtf-objdata-decoded RTF \objdata at offset 0x19E1 4168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.