Malicious RTF — malware analysis report

Static analysis result for SHA-256 d8588e51d73dcf4b…

MALICIOUS

RTF

28.3 KB First seen: 2023-05-21
MD5: f83050a49383b5c615b9a84543254f4e SHA-1: 59ff738976651d24126bbd6ef313e6f31af9db65 SHA-256: d8588e51d73dcf4b9ca0eeec7a4bbb184a32c0e769df76d075466289f60be95e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data and uses an \objupdate directive, indicating an attempt to exploit a vulnerability to activate the embedded object. This is a common technique for delivering secondary payloads. No document body or script content was available for further analysis, limiting the ability to identify a specific family or more detailed attack steps.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d4f.bin
9e33a6298b35826aea34536815e0d780f3e05f043341b0bbe160e123ad127b34		 rtf-objdata-decoded RTF \objdata at offset 0x1D4F 4173 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.