Malicious RTF — malware analysis report

Static analysis result for SHA-256 996ce17c40c002e4…

MALICIOUS

RTF

25.9 KB First seen: 2023-06-21
MD5: 4208d961a2d6b6c77f5b2df38ba17308 SHA-1: a255b71820ce6b203ec3e1f54f0043b2b9336016 SHA-256: 996ce17c40c002e4c59c7e1392213aabfd67ad341bc112e59e453c73967eca74
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data which is configured to automatically update and activate. This suggests an attempt to leverage OLE object execution to run malicious code. The specific content of the OLE object is not fully detailed, but the heuristics strongly indicate a malicious intent to exploit this mechanism. No document body or script content was available for further analysis.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014cf.bin
ce4dad2533aa7b6566b000e073c601470acb89a35b463fb5ab3fe8dd4e2e6f05		 rtf-objdata-decoded RTF \objdata at offset 0x14CF 4174 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.