Malicious RTF — malware analysis report

Static analysis result for SHA-256 bf3e6298662aa3e8…

MALICIOUS

RTF

64.4 KB
MD5: 1c87c6c304e5fd86126c76ae5d86223b SHA-1: f42c6a014358758cdb722918acd95f1be153788f SHA-256: bf3e6298662aa3e82d2b005d3199c24695f18067e9098ae976e6eab630dcb883
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and triggers an \objupdate event, indicating an attempt to exploit OLE vulnerabilities. The embedded OLE object, objdata_00_off00001369.bin, is likely the payload. The high severity heuristic RTF_OBJUPDATE strongly suggests malicious intent to activate embedded objects for code execution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001369.bin
5b9a65f2673661a6994349782ade95167e42c8b7d69eab8c374b85356f1ab9c9		 rtf-objdata-decoded RTF \objdata at offset 0x1369 22691 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.