Malicious RTF — malware analysis report

Static analysis result for SHA-256 828c067539368aee…

MALICIOUS

RTF

27.2 KB First seen: 2023-06-07
MD5: d34424d4ff9030116dedad2314fabbcf SHA-1: e8f114e73f8f856483d652344b4ba9334e5b0a14 SHA-256: 828c067539368aee17656ddb7d1c95f9567d7f2bd80b876cabbeed104556f98b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE activation vulnerabilities. This suggests the file is designed to deliver a malicious payload when opened. No specific family could be identified, and the document body was heavily obfuscated and unreadable.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001947.bin
dd3dd133de2aa7cdb35a7ea432368ad4f91a21d72158980fcab4c3254d3ca160		 rtf-objdata-decoded RTF \objdata at offset 0x1947 4194 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.