Malicious RTF — malware analysis report

Static analysis result for SHA-256 808af60dd198f9b9…

MALICIOUS

RTF

24.6 KB First seen: 2023-05-30
MD5: 37da8e8fb8400046aa010dd182aa28f7 SHA-1: 79730533fc0a40bcdcd2df8151772abed8da41f8 SHA-256: 808af60dd198f9b9390c79c6e82c699df3c0b317bb2763e90c7eabae8bf22679
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF file containing OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that the embedded OLE object is configured to activate automatically, which is a common technique for exploiting vulnerabilities or executing embedded code. While no specific payload or script was directly extracted and readable, the presence of these heuristics strongly implies an attempt to achieve arbitrary code execution upon opening the document, likely serving as a downloader for further malicious activity.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f65.bin
bff12901e85f49a591d1bf9adf733c9fd2d5b168c58f6e557f3d64c2d738b43c		 rtf-objdata-decoded RTF \objdata at offset 0xF65 4190 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.