RTF malware analysis — malicious · 51cc42f4229cb400

MALICIOUS

RTF

9.5 KB Authoring application: Riched20 10.0.18362 First seen: 2021-11-07

MD5: 0ffe01ee43f4bb7b0bc80133aab79961 SHA-1: 8da07124d4a47570b665a7ef1105f3359f820f61 SHA-256: 51cc42f4229cb400b0924aea0a10ef8881cc2c1d64abafcaebb60dbaea963f5c

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and triggers automatic linking and updating of these objects, indicating an attempt to execute embedded content. The document body consists of seemingly random numbers and dates, lacking clear user-facing text, which is often a characteristic of obfuscated malicious documents. The heuristics strongly suggest exploitation of OLE object functionality for client execution.

Heuristics 3

Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Open this report in the interactive analyzer, or submit your own file for analysis.