Malicious RTF — malware analysis report

Static analysis result for SHA-256 5c8576030e57fa5a…

MALICIOUS

RTF

23.5 KB First seen: 2023-05-24
MD5: bc7ed676fe3515f3585501bd2169b930 SHA-1: 7a8f74c911247ceed02494878354569281d99509 SHA-256: 5c8576030e57fa5ab882d4fc501151150ac944c9f775c5ebd0359295beaed43b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and a heuristic firing indicates that \objupdate forces OLE activation. This suggests the file is designed to exploit OLE object handling to execute embedded code. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ae7.bin
bd73bd96f182780400ade75b44f01a25fe3bd5f3085c50902dc0eab565c29b0f		 rtf-objdata-decoded RTF \objdata at offset 0xAE7 4157 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.