Malicious RTF — malware analysis report

Static analysis result for SHA-256 84ee7c10c7654f06…

MALICIOUS

RTF

6.9 KB
MD5: 52575bbfc0e0e0a70370e4da1056b926 SHA-1: 7d585bbed9b9cf056154d27e15fb2bc39075a8df SHA-256: 84ee7c10c7654f062a242e63e827ffe3fe2ed16f24dd0cf8900b2d0e5e4c4179
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit an OLE vulnerability. The presence of an embedded OLE object suggests a delivery mechanism for a secondary payload. While no specific URLs were extracted, the heuristic firings strongly suggest a malicious intent to execute code.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000088e.bin
501e98b1486e051c901f7aba0db54bfdb1a01c033ceab33a1971fb9adaef29e3		 rtf-objdata-decoded RTF \objdata at offset 0x88E 1697 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.