Malicious RTF — malware analysis report

Static analysis result for SHA-256 a9ef7d016c5480be…

MALICIOUS

RTF

26.1 KB First seen: 2023-05-02
MD5: fc01e8909cd645434c82378c485c6aa7 SHA-1: 733ba26263f78e8336ddcaf56259eb866af4f72c SHA-256: a9ef7d016c5480becf56f2ef7527d97e0890b42fbe32ee59e5ef6eee14613a66
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1137.003 DLL Search Order Hijacking

The RTF file contains OLE object data that is automatically linked and updated, indicating an attempt to execute embedded content. The heuristics RTF_OBJAUTLINK and RTF_OBJUPDATE strongly suggest that the file is designed to exploit OLE activation mechanisms. While no specific payload or URL was extracted, the file's structure points to a classic OLE-based attack vector.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000172b.bin
09d1a5ca4a2ac8cc8b7d2cc133699c70acd42c882b880859ce591f7cf89083a1		 rtf-objdata-decoded RTF \objdata at offset 0x172B 4175 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.