RTF malware analysis — malicious · 7bd94e71451f2f9e

MALICIOUS

RTF

222.8 KB Created: 2021-02-12 04:30:00

MD5: 66ca0f52cf358e56a855e5ac68232694 SHA-1: e7a396eb331b3367e6d36d2a4dfbbb37b8f3687f SHA-256: 7bd94e71451f2f9edaff2033a9b0f5a87686e742b6bd2eef870d75cd8c82011e

82 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects that are forced to activate via the \objupdate directive. This indicates an attempt to exploit client execution vulnerabilities. The document body appears to be a benign list of schools, suggesting the malicious content is hidden or triggered by the OLE object. No scripts were extracted, and the embedded URL was confirmed benign, leaving the OLE object as the primary indicator of malicious activity.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.