Malicious RTF — malware analysis report

Static analysis result for SHA-256 4934d81f595dc3c1…

MALICIOUS

RTF

10.4 KB
MD5: bde54ffe02050054a8017ec6dbbe992a SHA-1: 11ae60eb159162e0721852d96f08e263aa58bf37 SHA-256: 4934d81f595dc3c1e10eb3b938a1d4f3244c60c083e2fbe5aa2b61d559d01d79
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to execute embedded code. While no specific script was extracted, the heuristics strongly suggest a malicious OLE object is embedded. The presence of an embedded URL also points towards a delivery mechanism for further malicious activity.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000015fe.bin
c04142dd53689012e9e6e0908d6bf6abb86860efb4a5956a9d1281f9715cd8d3		 rtf-objdata-decoded RTF \objdata at offset 0x15FE 1788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.