Malicious RTF — malware analysis report

Static analysis result for SHA-256 a7c91431bc872481…

MALICIOUS

RTF

601.8 KB
MD5: 37499f2b57e5062f13276b2da675ba0c SHA-1: b1dc43fe0c1b0c7bb03b70fe4971d68ce4ac9260 SHA-256: a7c91431bc872481749059840757ef9ffe06a1f1a1fe7fb40d3b866ac6daac82
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing embedded OLE object data, which is activated by an \objupdate directive. This strongly suggests an exploit targeting RTF parsing or OLE object handling to achieve arbitrary code execution. No specific family could be identified due to the lack of script content or network indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000044.bin
defdabac2183442b40f019320e357dd96f8245c4e2784ea70e4146365001d280		 rtf-objdata-decoded RTF \objdata at offset 0x44 54277 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.