Malicious RTF — malware analysis report

Static analysis result for SHA-256 7fd6dd0bb09a2576…

MALICIOUS

RTF

24.2 KB First seen: 2023-05-30
MD5: d5f1fcbea622e3a99638f18a06493af3 SHA-1: f6aae3a6f95454894e796d68ed5717c1fddc3412 SHA-256: 7fd6dd0bb09a25769e6fb65c4a7475301f995f3df2a4f209c9fb9cec49638d34
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit embedded objects. This technique is commonly used to deliver malicious payloads. No specific family could be identified, and no further IOCs were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000016ec.bin
519e92a85bafeb7b3e80830310fe7d6f940866cf4aefe10355a9b5b9dd4d0cda		 rtf-objdata-decoded RTF \objdata at offset 0x16EC 3671 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.