Malicious RTF — malware analysis report

Static analysis result for SHA-256 7845e720e2b06510…

MALICIOUS

RTF

4.5 KB First seen: 2022-11-01
MD5: 8c594dad630e4486144c2ce3703a287e SHA-1: 2f25bb2240d35d437201cfb4673265c9dabc7e94 SHA-256: 7845e720e2b065109261e4236027760ae5b8e45e2f3e7a3e3170d6a75f8f7d9a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit a vulnerability. The embedded OLE object is likely designed to execute malicious code upon opening. No specific family could be identified from the available heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000071.bin
f93dffa3d033ad4ff19b2dbffe264754d6c28b53a66d01bbad4d734599088dc5		 rtf-objdata-decoded RTF \objdata at offset 0x71 2068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.