Malicious RTF — malware analysis report

Static analysis result for SHA-256 b1d072500606ac71…

MALICIOUS

RTF

175.1 KB First seen: 2024-06-27
MD5: b565335213e53d72f83b6b3f6fdc8882 SHA-1: 37f41d7ed92d075dbcec258759fed6d668f93897 SHA-256: b1d072500606ac716e13171b70ef4010d52d8b13704ced43e2cb81c183a7d8fc
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1137.001 DLL Side-Loading

The RTF document contains OLE object data and triggers OLE activation via \objupdate. This indicates the document is designed to exploit OLE vulnerabilities to execute embedded content. The specific OLE object data and auto-linking heuristics suggest a mechanism for launching malicious payloads, though the exact nature of the payload is not detailed in the provided evidence.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ad8.bin
0c41c8b1da6fc2a4b860eb75147b92b9e8e8fae16a35f4d8ba7a30bfbe2d3d0e		 rtf-objdata-decoded RTF \objdata at offset 0x1AD8 4175 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.