Malicious RTF — malware analysis report

Static analysis result for SHA-256 fcd780e6f7cd18ff…

MALICIOUS

RTF

4.0 KB
MD5: 9d2d6844f80ebe2f244b2922b22b0a68 SHA-1: e0f13fb35f5cc3d3e79c1e983aa0465e84a6e773 SHA-256: fcd780e6f7cd18ff4bc7936f81b60e4c1a5b271ba3a0e75b5743c9f3dab820de
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data, and a heuristic indicates that \objupdate forces OLE activation. This suggests the file is designed to exploit a vulnerability within the RTF parser to trigger the execution of the embedded object. The document body contains only numerical data, providing no further context on the lure. No scripts were extracted from this sample.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000084.bin
e045559e1bd8659e912d850d2313695fcb9b7ddd7096d912cc51b5e46600b62e		 rtf-objdata-decoded RTF \objdata at offset 0x84 1971 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.