Malicious RTF — malware analysis report

Static analysis result for SHA-256 93ec5d21c1a6f7da…

MALICIOUS

RTF

4.8 KB First seen: 2021-09-27
MD5: 47cda64076d088d10b83fd56e8656894 SHA-1: e783645db0ae889077b91112e9e1abba982798ef SHA-256: 93ec5d21c1a6f7da27ac3cbd82a24e966ec76ece1b186d667dbe214ed0147581
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data that is automatically linked and updated, indicating an attempt to exploit OLE activation for code execution. The heuristic firings strongly suggest this mechanism is leveraged. While no specific payload or URL is directly visible in the provided evidence, the technique implies the execution of a secondary stage, likely a downloader.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Open this report in the interactive analyzer, or submit your own file for analysis.