Malicious RTF — malware analysis report

Static analysis result for SHA-256 95aec4a1bcd8bc36…

MALICIOUS

RTF

22.3 KB First seen: 2023-05-08
MD5: 7716369fd03f65e70b83a472f0c88258 SHA-1: 80afc35d7c881e70df784a143de4cfbc4a8971d8 SHA-256: 95aec4a1bcd8bc36a1d9fe6752da543cad0c498022426c54902a39db97618bc3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses \objupdate to force activation, indicating an attempt to execute embedded content. While no specific document body or script content was extracted, the heuristics strongly suggest a malicious OLE object is embedded within the RTF. This points to a delivery mechanism leveraging OLE object vulnerabilities.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000673.bin
8c344451a995695eccd54cc22fcee55133b34e01e391c9a5d282871168699018		 rtf-objdata-decoded RTF \objdata at offset 0x673 4182 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.