Malicious RTF — malware analysis report

Static analysis result for SHA-256 c7018ee3783f4b2f…

MALICIOUS

RTF

389.5 KB Created: 2022-06-20 09:04:00 Authoring application: WPS Office First seen: 2022-07-08
MD5: 80987dcdb36e7cb52bb03f00261aa2bd SHA-1: 2abf70f69a289cc99adb5351444a1bd23fd97384 SHA-256: c7018ee3783f4b2fb19fedc78c59586390efa1b72c907867794bf42141eb767c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The RTF file contains multiple embedded OLE objects, with one specifically triggered by \objupdate. This suggests an attempt to exploit OLE object activation to execute malicious code. The document body is formatted as a meeting protocol, likely a lure to trick users into enabling content or interacting with the embedded objects.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000270f3.bin
dc1232b57c5c684b6838329879533b945a263fd5a3bb1825d50f58d153a77e68		 rtf-objdata-decoded RTF \objdata at offset 0x270F3 112380 bytes
objdata_01_off0005df11.bin
624cd8895a4ecc5a0a871cb6215c2b19f4fae3b522107541fa9df8c8983ecb35		 rtf-objdata-decoded RTF \objdata at offset 0x5DF11 6847 bytes
objdata_02_off0005df2b.bin
05ba095ac605422898d063511280e25730e5e1dd91478e3cd20e32a7ee2beec8		 rtf-objdata-decoded RTF \objdata at offset 0x5DF2B 6843 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.