Malicious RTF — malware analysis report

Static analysis result for SHA-256 9db4c737fd891687…

MALICIOUS

RTF

3.7 KB First seen: 2023-01-05
MD5: 43d3572df61172edf51e252c1e83df93 SHA-1: 611c9a423db33c48841a6fa0c3cb2d7d70380902 SHA-256: 9db4c737fd89168798872f75f407b633bf383afe013d462206e2105bb53dd3ce
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to exploit OLE object activation. This technique is commonly used to deliver and execute malicious payloads. The specific exploit and payload are not detailed in the provided evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000074.bin
c717b15638a31d789031d0b5a0bcfefe7a71b414db99e19241a63f1570a64460		 rtf-objdata-decoded RTF \objdata at offset 0x74 1761 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.