Malicious RTF — malware analysis report

Static analysis result for SHA-256 9ec172e292f78477…

MALICIOUS

RTF

7.9 KB
MD5: 4c084f9a7c1a961a35768108ca70e1f5 SHA-1: 6d83c358b751a7766c0aeb6c575ec68ec8b8a985 SHA-256: 9ec172e292f7847722be4d6a8bb488e498f11115e9daa82b56feae8522d8082c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains embedded OLE objects, and a ".objupdate" directive is present, indicating an attempt to exploit OLE object activation. This suggests a malicious document designed to execute code upon opening. No specific family could be identified, and no URLs or scripts were extracted to further detail the payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000bc2.bin
1759eb2ab56f0e0cb4291ccfddc15c44eb751e8cc8a558c2188184829e29ce74		 rtf-objdata-decoded RTF \objdata at offset 0xBC2 1809 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.