Malicious RTF — malware analysis report

Static analysis result for SHA-256 718dcc870c0de487…

MALICIOUS

RTF

21.7 KB
MD5: 5aad2b6635b3069402aaf6ff389bea64 SHA-1: a8617ddffd6c934fcf3f64c6e84b1a23ffa9d092 SHA-256: 718dcc870c0de487595feed4e5e43dc70fba6fa2aaac15462c0ba5c20028e7bd
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and triggers OLE activation, indicating exploitation of a vulnerability. The embedded OLE object is decoded and contains executable content. While no specific script language was directly identified, the exploitation mechanism suggests a pattern of client-side execution, likely for downloading further malicious content. The document body is heavily obfuscated and unreadable.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b39.bin
b40083435183b70a11a8dd1af9400345e83d5bf1190211a4e5e1430e546d9505		 rtf-objdata-decoded RTF \objdata at offset 0xB39 4194 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.