Malicious RTF — malware analysis report

Static analysis result for SHA-256 d79dcb90dfc01723…

MALICIOUS

RTF

382.0 KB Created: 2022-06-21 08:02:00 Authoring application: WPS Office First seen: 2022-07-08
MD5: 001b53acfab523dc060d38d73d63feef SHA-1: a501fec38f4aca1a57393b6e39a52807a7f071a4 SHA-256: d79dcb90dfc01723f8df5628f502352c6f922187d3ef5942a6e8465552f40edf
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF file contains embedded OLE objects, with one specifically triggered by \objupdate, indicating an attempt to execute embedded content. The document body discusses legal amendments, a common lure for phishing, suggesting the embedded content is likely malicious. No specific family could be identified due to the lack of script content.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00025324.bin
dc1232b57c5c684b6838329879533b945a263fd5a3bb1825d50f58d153a77e68		 rtf-objdata-decoded RTF \objdata at offset 0x25324 112380 bytes
objdata_01_off0005c142.bin
624cd8895a4ecc5a0a871cb6215c2b19f4fae3b522107541fa9df8c8983ecb35		 rtf-objdata-decoded RTF \objdata at offset 0x5C142 6847 bytes
objdata_02_off0005c15c.bin
05ba095ac605422898d063511280e25730e5e1dd91478e3cd20e32a7ee2beec8		 rtf-objdata-decoded RTF \objdata at offset 0x5C15C 6843 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.