Malicious RTF — malware analysis report

Static analysis result for SHA-256 79f481158cf60cec…

MALICIOUS

RTF

2.9 KB First seen: 2023-08-04
MD5: 62ae70d26d5ac24c57e519bf4f2a9aa7 SHA-1: 2720cc0e9c0720afae5ca417fa8f0dd4f082463c SHA-256: 79f481158cf60cec713c5e56180bbd2223ced74eb7b8828a6ccb4498b63f059e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. The RTF_OBJUPDATE heuristic suggests that the embedded object is designed to be activated automatically, likely leading to the execution of malicious code. The specific exploit or payload is not detailed, but the mechanism points to a classic OLE object exploitation technique.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000095.bin
71544bfbda4e810c08c817f8ac18c82052a0d80497e455d806507de6d871474d		 rtf-objdata-decoded RTF \objdata at offset 0x95 1395 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.