Malicious RTF — malware analysis report

Static analysis result for SHA-256 4b8653ec7aa24889…

MALICIOUS

RTF

22.9 KB First seen: 2023-05-30
MD5: 3152aef08e3025e3ce9efe5db513f5dd SHA-1: 96eefdfe03cf49c0c82736b1cbefd70ff83d4926 SHA-256: 4b8653ec7aa24889676e92e96031d18b3aafff9affb3e948804a1625d4c7b67f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to embed and activate potentially malicious content. While no specific payload or script was directly extracted, the presence of these indicators strongly suggests a malicious document designed to exploit OLE object handling. The SHA256 hash is included as a primary identifier for this malicious file.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000868.bin
5a9fd257bff830e5c58ef373f6bd49771045ba535129db5e2fec46da44447c66		 rtf-objdata-decoded RTF \objdata at offset 0x868 4191 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.