Malicious RTF — malware analysis report

Static analysis result for SHA-256 ee6097ba460179e5…

MALICIOUS

RTF

178.3 KB First seen: 2024-06-27
MD5: b42c7a60e045a89970b33577980acd7d SHA-1: 08002421eaadc5ceccd1f90b278423cdc1c66956 SHA-256: ee6097ba460179e5759b5e021e85270f962ee6a5849a52883c062e5efbc8c3c8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and triggers OLE activation via \objupdate, indicating an attempt to execute embedded content. The presence of RTF_OBJAUTLINK and RTF_OBJDATA heuristics strongly suggests a malicious OLE object is embedded within the document. While no specific script was extracted, the RTF structure and heuristic firings point towards a delivery mechanism for a secondary payload.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001f67.bin
0ba3a7845346bd90c845df953717efa016e98b5315c3e75e57632079796f9bb1		 rtf-objdata-decoded RTF \objdata at offset 0x1F67 4158 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.