Malicious RTF — malware analysis report

Static analysis result for SHA-256 87c6b480e38cb82e…

MALICIOUS

RTF

24.2 KB
MD5: a025cb1ed7610a560adac89750f1851c SHA-1: e5bc95cf4a37322ab42b645e34c859176dd7f646 SHA-256: 87c6b480e38cb82e39c70231315ee141a38bebc96fe313c35a69da2257811531
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to execute embedded code. The decoded OLE object stream, named 'objdata_00_off00001c7f.bin', is the primary artifact. This technique is commonly used to download and execute further malicious stages.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c7f.bin
0453f7aabe9bf66aa6c43fd925d9efa26276079782b5c4d099c559e81c769fe8		 rtf-objdata-decoded RTF \objdata at offset 0x1C7F 4187 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.