Malicious RTF — malware analysis report

Static analysis result for SHA-256 696b8c493deb16aa…

MALICIOUS

RTF

3.8 KB First seen: 2023-07-07
MD5: 40154945329e3690a5cc01a8075f90ca SHA-1: 28da7a14b91cf10ae5a04ab25248b7827be0cf66 SHA-256: 696b8c493deb16aab86d0c79ab918a25d5f1d96f91562c6af76135224a48d17e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the file is designed to exploit OLE object handling vulnerabilities to execute arbitrary code. The specific exploit mechanism is not detailed, leading to a lower confidence in family attribution.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000090.bin
ce11ecdd82c2a4badf8a3708be262f066354b5860c2942f78a2cc57235cc9a30		 rtf-objdata-decoded RTF \objdata at offset 0x90 1850 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.