Malicious RTF — malware analysis report

Static analysis result for SHA-256 53ee6e8b3e691adc…

MALICIOUS

RTF

20.9 KB First seen: 2021-11-21
MD5: 8bc61a6d0edfc18d880f9d688f2035ce SHA-1: 05f92743101d3979a8590368608b78c4e18aea0f SHA-256: 53ee6e8b3e691adc4d052a3ecd5b4339e6154faa5ec29a7a3827a7ceec1f0af7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data that is forced to activate via \objupdate, indicating an attempt to execute embedded content. The high entropy of the decoded OLE object stream suggests it is likely packed or encrypted, further supporting its malicious nature. Without further analysis of the OLE object's contents, the specific family and payload remain unknown.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000086a.bin rtf-objdata-decoded RTF \objdata at offset 0x86A 4188 bytes
SHA-256: 82de815cdc0d7b5fda25535d206d930a5efa3358133643ed6a494360e703bbae

Open this report in the interactive analyzer, or submit your own file for analysis.