Malicious RTF — malware analysis report

Static analysis result for SHA-256 a2432a7b6ba159d8…

MALICIOUS

RTF

10.2 KB
MD5: 1c12563cb1b1492f69f480b5d72387a9 SHA-1: 1f1c130d39af75182953692b34ab62f947a0d7ad SHA-256: a2432a7b6ba159d88257adf16910a88960acd10ddc57b8922ddc74148748b98d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation for malicious purposes. The presence of these indicators suggests the file is designed to deliver a payload when opened. While no specific family is identified, the techniques used are common in malware delivery.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000164a.bin
88d5db5832ef1eff13a9697aa3ba31a5a2fef3d8cde0ffa43a0666598e1885b7		 rtf-objdata-decoded RTF \objdata at offset 0x164A 1672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.