Malicious RTF — malware analysis report

Static analysis result for SHA-256 8c794dd435d44fea…

MALICIOUS

RTF

172.6 KB First seen: 2024-06-28
MD5: 6c502f63642761f32b454d1eedee5ee3 SHA-1: c97c0498e028ef63acd9d972cc3a03cc4c519a68 SHA-256: 8c794dd435d44feac82bb08b9f6fb9c95b71c5f1fe4762da37f49d0b6ed21be7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File: User Execution

The RTF file contains OLE object data and heuristics indicate that \objupdate forces OLE activation, suggesting it's designed to execute embedded content. The presence of an embedded OLE object further supports this. While no specific family is identified, the mechanism points to a malicious document designed for exploitation.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000141f.bin
40837fdfb9f265b3a2635a655d2d0cb82b7c4fc394bc9b68e5d22e931208c904		 rtf-objdata-decoded RTF \objdata at offset 0x141F 4174 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.