Malicious RTF — malware analysis report

Static analysis result for SHA-256 4ce96638b283b32d…

MALICIOUS

RTF

9.9 KB
MD5: 5d3f07cc44fe9defb5b6a95b652b3dde SHA-1: 12d3c74949cc17c3dea64c09818e7cd8e1faf764 SHA-256: 4ce96638b283b32d83baca34dd660d71eb0d90b6ffe191edcc110ca44973595e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. The presence of embedded OLE objects strongly suggests a malicious intent to deliver a payload. While no specific family is identified, the technique points towards a downloader or dropper.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014ee.bin
8c165e4fc394122a809b8d76aa691e128b39707a93eaa6c9499b274d2794baff		 rtf-objdata-decoded RTF \objdata at offset 0x14EE 1768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.