Malicious RTF — malware analysis report

Static analysis result for SHA-256 abab55c3c2109d14…

MALICIOUS

RTF

27.8 KB Authoring application: Msftedit 5.41.21.2510
MD5: 0c9dfa5c8cf346c75da3972b4b80fdab SHA-1: 63f43801babb94816931266fab02b98b0eabf369 SHA-256: abab55c3c2109d14d6efde236c6200bbf59edf9c2edc6d8a59ce6e310607bc9b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1071.001 Just in Time Host Basis Creation T1059.001 Command and Scripting Interpreter Attacked T1566.001 Phishing: Spearphishing Attachment

The file utilizes RTF's OLE object embedding capabilities to conceal a potentially malicious executable. The presence of extit{objdata} and extit{objemb} control words within the RTF structure strongly suggests this technique. The extracted OLE object data (objdata_00_off000000f1.bin) likely contains the payload. The file's purpose is likely to deliver a malicious payload via a document-based attack, exploiting vulnerabilities in OLE handling.

Heuristics 3

  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000f1.bin
c2dd5365aa4b2e09aca2b238837f5a19b067ff68e8104713d5306e21e03ff793		 rtf-objdata-decoded RTF \objdata at offset 0xF1 7892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.