Malicious RTF — malware analysis report

Static analysis result for SHA-256 902b89feaecf9fd5…

MALICIOUS

RTF

1.24 MB
MD5: 1cc6e550e2e414d143e835b0f5f53f41 SHA-1: 4005ec6ad52495ccaa23a2036788e23c1a4a9adb SHA-256: 902b89feaecf9fd52cae5e6a42f3f22f9aebb9d219c1ff0a70361165fd4b2e51
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF document contains multiple OLE objects, with one at offset 0x5FC8 triggering an \objupdate command. This indicates the document is designed to exploit OLE object vulnerabilities, likely to embed and execute a malicious payload. No specific family could be identified due to the lack of script content or network indicators.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000cd5.bin
318f1805d18b3d46eba12ba368f541ae0cb6186bbd02d5a2fa3502f229e50d4a		 rtf-objdata-decoded RTF \objdata at offset 0xCD5 9427 bytes
objdata_01_off00005ba4.bin
e4d277874d9b18c12a63a3ef5684febe5889d08550bc2357b9e03cb4855dff42		 rtf-objdata-decoded RTF \objdata at offset 0x5BA4 276 bytes
objdata_02_off000063fe.bin
b6aed7349135db8a1148f71a0cb20218e9faff1d678c5ddfc875bb42f9659a44		 rtf-objdata-decoded RTF \objdata at offset 0x63FE 142789 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.