Malicious RTF — malware analysis report

Static analysis result for SHA-256 7585af7ff26196fb…

MALICIOUS

RTF

323.5 KB First seen: 2023-07-24
MD5: f6ada0ceac68af3ed2c321533d308440 SHA-1: 05c608b9e1623941f1d197f12fc9565e3dfdc271 SHA-256: 7585af7ff26196fbcca44cac2efda77246a206b63cb476daad00352c15e55127
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1027 Obfuscated Files or Information

The RTF file contains OLE object data and a \objupdate directive, indicating an attempt to embed and activate external content. This is a common technique for delivering malicious payloads. Without further analysis of the embedded object, the specific family and full attack chain remain unclear.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000012f9.bin
bf8411fe7590f8ca03e8bb4130ced8e49c6d25a6a60d9879ee6afb50e9e4290d		 rtf-objdata-decoded RTF \objdata at offset 0x12F9 98528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.