Malicious RTF — malware analysis report

Static analysis result for SHA-256 f87b7d2124d6b7f1…

MALICIOUS

RTF

28.5 KB First seen: 2023-07-05
MD5: cd50d67ceed86dfca39f4c375e548ab0 SHA-1: 415dd93ae4fcda969dc2d754f8fbc3e1133e9024 SHA-256: f87b7d2124d6b7f190072409eb6f819ed9e88aa0f8ae04ec6c63c56ebebd4cc6
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The RTF file contains OLE object data that is automatically linked and updated, indicating an attempt to execute embedded content. The presence of ` tfobjdata`, ` tfobjautlink`, and ` tfobjupdate` heuristics strongly suggests the file is designed to exploit OLE activation mechanisms. While no specific document body content or scripts were provided for analysis, the OLE object data itself is the primary indicator of malicious intent, likely serving as a dropper for further malicious payloads.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001fc7.bin
c4de47ff7eec06ad514fbae59eb4c60cf90b245caef83c37ee7bd1721fd54975		 rtf-objdata-decoded RTF \objdata at offset 0x1FC7 4176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.