Malicious RTF — malware analysis report

Static analysis result for SHA-256 a48d7318f8a71f19…

MALICIOUS

RTF

24.2 KB First seen: 2023-05-09
MD5: 3a8641ce8a7de2549623b886e142ce8b SHA-1: c2ba4288ddbe876bfe6b0cdf24c06b259d76b2f7 SHA-256: a48d7318f8a71f19109687b60d2a996c7b2635e1b9525160643187462b7f056a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. This technique is commonly used to deliver malicious payloads. No document body or script content was available for further analysis, limiting the ability to identify specific lures or payloads.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000fda.bin
2fe45eb22be181bf141c99b0138adb75dfc7a1c24888a3d85656058947a8eed2		 rtf-objdata-decoded RTF \objdata at offset 0xFDA 4195 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.