Malicious RTF — malware analysis report

Static analysis result for SHA-256 781387a0b7b87c4f…

MALICIOUS

RTF

3.3 KB First seen: 2023-10-06
MD5: 58965552782ef0c6a454d8d16e27d319 SHA-1: 49b3f40cc217e262202d9c961734ebf4a21b25ee SHA-256: 781387a0b7b87c4faf3f4da77706ab7af2af9fc84996e36fa05f83f5b97641c0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. This is a common technique for delivering malicious payloads. The specific exploit and payload are not detailed in the provided evidence, leading to an unknown family attribution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000098.bin
db2533f01cbc0c5571103af4f013b04aaa12d97c45d54a0769023cc007bc0153		 rtf-objdata-decoded RTF \objdata at offset 0x98 1593 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.