Malicious RTF — malware analysis report

Static analysis result for SHA-256 b5784dc5717d0733…

MALICIOUS

RTF

18.0 KB
MD5: 79b064007e51e1cfb2f7c91c732242a9 SHA-1: c4748fd11683b4b02e5bbc13746005a023f66568 SHA-256: b5784dc5717d0733bcdd150fda07cc94bcc2e2529e0f03e3bb9ec9b623302496
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and triggers OLE activation via \objupdate, indicating a likely exploit for a vulnerability in OLE object handling. This technique is commonly used to deliver malicious payloads. The specific exploit targeted is not immediately clear from the heuristics, but the presence of \objdata and \objupdate strongly suggests code execution upon opening the document.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000005c7.bin
6d1c450d6caf8b3cdcd28670e3858469b7f4102d26b86903d1de4cacef676fee		 rtf-objdata-decoded RTF \objdata at offset 0x5C7 3673 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.