Malicious RTF — malware analysis report

Static analysis result for SHA-256 ed81c5f683ed520f…

MALICIOUS

RTF

199.5 KB First seen: 2024-06-27
MD5: d268f6028d5fcdb70bf64bf7419852a4 SHA-1: f0e2db78d7d624122c466e12b4fc0c3b42ecc38c SHA-256: ed81c5f683ed520fb65e5c03c2c529952fbc34725752f544d0d6c7d76bf6b19b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data that is triggered by \objupdate, indicating an attempt to exploit OLE activation. The presence of the Ole10Native stream further supports this, suggesting the embedded object is malicious. While no specific script was extracted, the heuristics strongly point to a malicious OLE object designed to execute code upon opening.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b76.bin
b9d3f7350a6a9211b40692da926d6369cf983c55b26bfc7b6e010f397520e78e		 rtf-objdata-decoded RTF \objdata at offset 0x1B76 4688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.