Malicious RTF — malware analysis report

Static analysis result for SHA-256 59e7f344c86d2ade…

MALICIOUS

RTF

102.5 KB First seen: 2023-09-05
MD5: cbf234faf143cd9fdc9702a6a976153c SHA-1: 3a80997a96677a0bacd43a14a776a5a3dd716cae SHA-256: 59e7f344c86d2adef46011daccd3206e9fb87ad3edc3b88910daf4e5bc5c2401
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that the embedded OLE object is designed to be activated automatically, likely leading to the execution of malicious code. The specific nature of the payload is not discernible from the provided heuristics and truncated document body.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000012b9.bin
bad16494ee0916806b198997f23fff1ce998551dece5f2c16c676eea3b86e259		 rtf-objdata-decoded RTF \objdata at offset 0x12B9 842 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.