Malicious RTF — malware analysis report

Static analysis result for SHA-256 93b1e1753a16458b…

MALICIOUS

RTF

10.2 KB
MD5: d31e0cd8788360bc57ac0cb59062759d SHA-1: 2592755581e062af148e3ed7d50d758c082eb1da SHA-256: 93b1e1753a16458be06b8730370fa6f063f4236c71efa6c9de91e7a19832bc8c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains embedded OLE objects, with a specific ".objupdate" trigger identified. This suggests the document is designed to exploit OLE object activation to execute embedded code. While no specific script was extracted, the presence of OLE objects and the update trigger strongly indicate a malicious intent, likely to download and execute a secondary payload or exploit a vulnerability. The confidence is moderate due to the lack of directly executable script content.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018ac.bin
688b3b871b26ce4779ad1287f4b2ec1ad71a021a678ae39600679a3603949dde		 rtf-objdata-decoded RTF \objdata at offset 0x18AC 1446 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.