Malicious RTF — malware analysis report

Static analysis result for SHA-256 9acbf2ec6d4d9e5a…

MALICIOUS

RTF

26.4 KB First seen: 2023-05-09
MD5: 18418b8b5e1ee58eba592c4b23abc28b SHA-1: 2e4c99b68f74c39586c086f97cfc4d37e8a74f9c SHA-256: 9acbf2ec6d4d9e5a0e0f373409bfaa540daf14a95bb5f2743a07c440f65f7a7c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF file contains OLE object data that is triggered for activation via \objupdate. This indicates an attempt to exploit a vulnerability related to OLE object handling, likely to execute arbitrary code. The document body is heavily obfuscated and does not provide clear textual lures. No scripts were extracted from this sample.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002030.bin
c4d8f60b6d9ff117f70abb8c138e3aafe29ab55ce0a6074627b90e9292166265		 rtf-objdata-decoded RTF \objdata at offset 0x2030 3669 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.