Malicious RTF — malware analysis report

Static analysis result for SHA-256 b809268a443a5906…

MALICIOUS

RTF

23.6 KB
MD5: a3ea16e265e319b74dd1373d7e83916d SHA-1: a3e29a7d1fd84de890d1452d4b0892d7c2735598 SHA-256: b809268a443a59068e98e9b755f9f5632e396ed39e826750ed128f37f0fbe775
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the document is designed to exploit OLE object handling to execute embedded code. The presence of \objdata and \ole10native stream further supports the embedding of malicious content. While no specific script was extracted, the OLE object's nature strongly implies it's a downloader or exploit carrier.

Heuristics 4

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000012e2.bin
c298b235d55eb07c6cb314937ef0105a5e778b6bc500b6bd8f170316a16de612		 rtf-objdata-decoded RTF \objdata at offset 0x12E2 4194 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.