Malicious RTF — malware analysis report

Static analysis result for SHA-256 a9939214c9c6a2cd…

MALICIOUS

RTF

24.6 KB First seen: 2023-05-04
MD5: 7f8045b2c78195d846d5622d65574cf5 SHA-1: 5d1a01a1d270a4a70a4c4330b2e5ca74ccc886fa SHA-256: a9939214c9c6a2cd0245d3e41e960f0cffbb1ee0ec26e98453e9f586a30b4c7f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating it's designed to activate embedded objects. This strongly suggests a malicious intent to exploit vulnerabilities or execute embedded code upon opening. No specific family could be identified, and the document body was too obfuscated to determine a clear lure.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010cb.bin
2c75212a22ec6bc3dd6a9109f0ea3d9e4626f9b859c6ce60471bda73994cdf0a		 rtf-objdata-decoded RTF \objdata at offset 0x10CB 4192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.