Malicious RTF — malware analysis report

Static analysis result for SHA-256 93abfd8f744453b1…

MALICIOUS

RTF

20.0 KB First seen: 2023-05-04
MD5: 5ee93a1d15d2d02268cf4755b7b5d7db SHA-1: ba91217aad5342da36c024f73684cf8973c363a4 SHA-256: 93abfd8f744453b14b83135adf604235e93c901c54a8a95ec0d463035c4b5ac3
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1137.001 DLL Search Order Hijacking

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to exploit OLE activation. This mechanism is commonly used to embed and execute malicious payloads. No document body or script content was available for further analysis, limiting the ability to identify specific family traits or detailed execution flows.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000006eb.bin
a3592e78f126f289cf242d4b0202d9d3d65c47e90c10ab860fb9f102e37e540f		 rtf-objdata-decoded RTF \objdata at offset 0x6EB 3667 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.