Malicious RTF — malware analysis report

Static analysis result for SHA-256 63a4d25662e8bff7…

MALICIOUS

RTF

23.3 KB
MD5: 4fb3237b29a75d71c8f640593460150f SHA-1: c5758e0dc7c725dd6db7cff5f6bd779768d1e985 SHA-256: 63a4d25662e8bff75c8d1319c9387dff3ca65ddcb9f3968b1ce9c52cefcb2020
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data that is forced to activate via \objupdate, indicating an attempt to execute embedded content. The high entropy of the decoded OLE object suggests it is likely a packed or encrypted payload. While no specific family is identifiable, the technique points towards a malicious document designed to exploit OLE vulnerabilities for initial execution, often delivered via spearphishing.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000008e9.bin
c0461fd31d953594259443b2c791d07026fb7aee0da5c2a25a6e784b03cd8b52		 rtf-objdata-decoded RTF \objdata at offset 0x8E9 4685 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.