Malicious RTF — malware analysis report

Static analysis result for SHA-256 6f71e1c2e52e6eaa…

MALICIOUS

RTF

22.1 KB
MD5: 70c1a705af28923926d48b9181d383ad SHA-1: f4fdc968e1b39e4108fea4c36e505074b5befe0f SHA-256: 6f71e1c2e52e6eaa0c0fe2e5110f80e32709388b387802bcc7f30643100bc2f9
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE objects with embedded data, and a specific heuristic indicates that \objupdate forces OLE activation. This suggests the file is designed to exploit OLE object handling to execute code. The presence of OLE objects and the activation mechanism strongly point towards an exploitation attempt, likely delivered via spearphishing.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b7a.bin
2ee6879e66709211f5edfb095009a0776a0f770543d46a19b8f5bbcad9293b37		 rtf-objdata-decoded RTF \objdata at offset 0xB7A 4190 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.