Malicious RTF — malware analysis report

Static analysis result for SHA-256 e24f9280b453e526…

MALICIOUS

RTF

25.9 KB First seen: 2023-03-13
MD5: fa106001a7cf2deb09192898ba82b50f SHA-1: d472611b9c4185f4dad80143c6c46cb3a3047779 SHA-256: e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit vulnerabilities related to embedded objects. The presence of these indicators strongly suggests a malicious intent to execute code, likely for downloading and running a secondary payload. No specific family could be identified.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001265.bin
2a80bd858eacaf6b8e9cde2bd3f9d7d1ee7c997f8fd4f2652a11a8da6f53b818		 rtf-objdata-decoded RTF \objdata at offset 0x1265 4692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.