RTF malware analysis — malicious · 75ead6affc7b3c3a

MALICIOUS

RTF

43.0 KB Authoring application: Riched20 10.0.19041 First seen: 2022-12-16

MD5: dbbdfd25c954ccd01cba76f4b7b9279b SHA-1: 20e746d5f90b17a95b1bfe0f5f61a8079ace36fd SHA-256: 75ead6affc7b3c3aa847095c2f8ddd88d6993760f94302713fac740381ee17da

140 Risk Score

Malware Insights

MITRE ATT&CK

T1559.002 Component Object Model Hijacking T1204.002 Malicious File

The RTF file contains embedded OLE object data which is configured to automatically update via a URL moniker. This suggests the document is designed to exploit vulnerabilities in OLE object handling to download and execute a secondary payload. The heuristics strongly indicate a technique commonly used for initial access and payload delivery.

Heuristics 4

URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED

RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000040.bin` `ac7c095892b48cf8eec4bc1942e5178f3aa5ddad432654e5e1ab83c7b791f6d4`	rtf-objdata-decoded	RTF \objdata at offset 0x40	3151 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.