Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0be892878068ff1a…

MALICIOUS

RTF / .DOC

3.9 KB First seen: 2022-11-03
MD5: 6cf524efde944bf5b3333a1aa7b05696 SHA-1: f7ae032a3bcc7906a838d58c7866c919f4f66913 SHA-256: 0be892878068ff1adbcf0f87e1d55ff3e921a2a2b3ecf73c8993e43e96890450
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an OLE object with the \objupdate directive, indicating an attempt to automatically activate embedded content. This technique is commonly used to exploit vulnerabilities and deliver secondary payloads. No specific family could be identified due to the lack of script content or network indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000086.bin
129a3ead0a4ded483d853c94d8fc10122b239d7170b72eace97f454c84f765d9		 rtf-objdata-decoded RTF \objdata at offset 0x86 1876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.