Malicious RTF — malware analysis report

Static analysis result for SHA-256 7c3b4bdf6ecc2a90…

MALICIOUS

RTF

126.2 KB First seen: 2024-06-19
MD5: eafca03d4c9a36b476b6ecb59e3c285e SHA-1: 2733e124cca06c861792664378bcd87f5460e2fc SHA-256: 7c3b4bdf6ecc2a908ece465a2650c764d87caaaa0b5c21e1c9664e68154eff50
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses RTF object activation heuristics, indicating it likely embeds and attempts to execute malicious content. The specific nature of the payload is not discernible from the provided heuristics and truncated document body.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c15.bin
c0c5158aa0afe79caf28f75c2d8caa24d3e1336d540ffa610c81be07e7d2c1f7		 rtf-objdata-decoded RTF \objdata at offset 0x1C15 4168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.