Malicious RTF — malware analysis report

Static analysis result for SHA-256 4fe0591d0c5bd1f2…

MALICIOUS

RTF

27.6 KB First seen: 2023-06-08
MD5: 8f6f20b9800cc3739e08c986979fe886 SHA-1: 945fc5d51604afd6e92c84fac68e336680d37abc SHA-256: 4fe0591d0c5bd1f27e2a384aa171139b371847c545e9eae6e7bc6269a954a58b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit a vulnerability. The presence of \objdata sections and the Ole10Native stream are strong indicators of malicious OLE object embedding. While no specific script was extracted, the heuristics strongly suggest the RTF is designed to trigger an exploit when opened, likely leading to further malicious activity.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001aff.bin
c509b78ea98d64b3d7c0988a96c549454b0096e7e1c0d4f3305c68ca3bd3ddde		 rtf-objdata-decoded RTF \objdata at offset 0x1AFF 4197 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.