Malicious RTF — malware analysis report

Static analysis result for SHA-256 9fc720c891b10368…

MALICIOUS

RTF

26.9 KB First seen: 2023-03-13
MD5: a0fdf8e2944577e63827431a287559ea SHA-1: 71b7b1418eee59c82521d29eb9a397469fb74b19 SHA-256: 9fc720c891b10368eac4e5dd9a6a531287958bb6001df47029bcc04ba78bf1d7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1204.002 User Execution: Malicious File

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit a vulnerability. The presence of these indicators strongly suggests the file is designed to execute malicious code upon opening. No specific family could be identified from the available heuristics.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000200f.bin
b8dc5b39d9f36317c440e51334d0627cb2604398b93abbfd5d08125018310bf5		 rtf-objdata-decoded RTF \objdata at offset 0x200F 4173 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.