Malicious RTF — malware analysis report

Static analysis result for SHA-256 bdb96a42fa084ec9…

MALICIOUS

RTF

24.5 KB First seen: 2022-10-12
MD5: 76123fcdc734f893ca11c342106920b2 SHA-1: 73da2cb62b3bd81edc968f89d402705f443b3758 SHA-256: bdb96a42fa084ec9af62cf54295a90d3298b610fa7a6de5a881d8e3dcc598c7e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File T1137.003 Exploitation for Public-Facing Application: OLE

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit OLE vulnerabilities. This mechanism is commonly used to embed and execute malicious code, often for downloading and running further stages of an attack. The presence of OLE object data and the activation trigger strongly suggest this attack pattern.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002012.bin
f976252432240318404e41466dc31d89ecc196dff2fcc24c96f26f9424ef0b16		 rtf-objdata-decoded RTF \objdata at offset 0x2012 4683 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.