Malicious RTF — malware analysis report

Static analysis result for SHA-256 6c670d6a1cb0f4b4…

MALICIOUS

RTF

23.7 KB
MD5: cfeee36c618563537127b7c9c2787c45 SHA-1: 11eecb04a3b7ac8340252223670444059875e76d SHA-256: 6c670d6a1cb0f4b4845d9cb993415fa73545221cf2a22337ca077e97d9af76c5
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE objects with embedded data, and heuristics indicate that \objupdate is used to force OLE activation. This suggests the file is designed to exploit vulnerabilities in OLE object handling to achieve arbitrary code execution. The presence of embedded OLE object data further supports this, as it likely contains the malicious payload or a loader for it. No document body or script content was available for further analysis.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bf0.bin
08b63d7bc3c312558e2d86a33844ec6106dfff62a96933089c359827fb462224		 rtf-objdata-decoded RTF \objdata at offset 0x1BF0 3691 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.