RTF malware analysis — malicious · f45febc7acc35903

MALICIOUS

RTF

4.4 KB First seen: 2022-10-11

MD5: 68bf6cbe5fb38c6192f601ace5586ae2 SHA-1: cabc59d7f166ec38310eb96cd59329dc2f41848a SHA-256: f45febc7acc35903202001eb1f66aee859c05dc983ef1aebd1ff510070d827e9

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE object activation. This is a common technique for delivering malicious payloads via embedded objects in documents. No specific family could be identified from the available evidence.

Heuristics 2

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000007d.bin` `93e40ad0b3600c67380c35653970038a1ab30116b5c29b63d4abae386adbe19d`	rtf-objdata-decoded	RTF \objdata at offset 0x7D	2012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.