Malicious RTF — malware analysis report

Static analysis result for SHA-256 db7bbd8f8fa8de04…

MALICIOUS

RTF

8.7 KB First seen: 2023-01-10
MD5: c7f6841607cce1d41934a70e27846a92 SHA-1: 03833634e5693bf6b20311a1363206e4ed683fb4 SHA-256: db7bbd8f8fa8de0490178e251eb42e8661e76af1fcbb71e9609402a8fe5f44d7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE object handling vulnerabilities. This is a common technique for delivering malicious payloads. No specific family could be identified, and no further IOCs were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000013e6.bin
e9466c305082d667d7551aa58c86b92132036504d26aa057b52dd3940afdef40		 rtf-objdata-decoded RTF \objdata at offset 0x13E6 1866 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.