Malicious RTF — malware analysis report

Static analysis result for SHA-256 51bbdcd9da387980…

MALICIOUS

RTF

5.5 KB First seen: 2022-10-28
MD5: 3352175ea33891c873d120f8eea80946 SHA-1: 150a4046aad42a29bc49991e3ba19e1177760896 SHA-256: 51bbdcd9da38798085d7fca64708ee95a44e3c3fc99a7cd69d112b68c89c1cbb
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to exploit a vulnerability when the object is activated. This is a common technique for delivering malicious payloads. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007d.bin
ebfe8dd59666c3c68c2baa5e02cc17bfda2774dcbeabe9b73a0e7a93d9a8fb9c		 rtf-objdata-decoded RTF \objdata at offset 0x7D 2520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.