Malicious RTF — malware analysis report

Static analysis result for SHA-256 91abfd7872b6e3ca…

MALICIOUS

RTF

9.5 KB
MD5: c7db35c41ce473d396f1fc67c50a96fd SHA-1: b12c560c00741e9dacb0ceeb0cbd0c97006335d3 SHA-256: 91abfd7872b6e3ca80d14264a04645a1a1942cdb7a788b43f51f57a6a3256518
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit a vulnerability. The presence of embedded OLE objects and the RTF_OBJUPDATE heuristic strongly suggest a malicious intent to execute code upon opening. No specific malware family could be identified from the available heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000015e5.bin
6f71cb66b1c100419b456760e997dc929b17cf59fbfb396a9c7f7c077ea570ea		 rtf-objdata-decoded RTF \objdata at offset 0x15E5 1513 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.