Malicious RTF — malware analysis report

Static analysis result for SHA-256 b2d3ea72a3ea0d19…

MALICIOUS

RTF

22.5 KB First seen: 2022-10-05
MD5: d55f421828d1f39ad61ae8a92028be1a SHA-1: 4049f2a3184cb63604d7fa9d30501a15b10161ed SHA-256: b2d3ea72a3ea0d19826c447346cc134d08bf6d48326bc289c4fd11104a66cafc
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1137.003 DLL Search Order Hijacking

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to execute embedded content. The presence of the Ole10Native stream further supports this. While no specific document body content or scripts were extracted to detail the exact lure, the heuristics strongly suggest a malicious OLE object is embedded and intended for execution.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001fd4.bin
301588991834a6262c414439a32979d7463474c84967661057f685894db9e5d1		 rtf-objdata-decoded RTF \objdata at offset 0x1FD4 4162 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.