Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 153182c5713529c1…

MALICIOUS

RTF / .DOC

4.0 KB First seen: 2023-01-16
MD5: 0e563dae9417e021b5b01f0d09e0607b SHA-1: fc73f1c712c054be33fc7e3d6a824075d174d0c4 SHA-256: 153182c5713529c1b62b2735ac1743e6a8d46f296504c26da3e97a4f9e835fbd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and a directive to update it, indicating an attempt to exploit vulnerabilities associated with embedded objects. This pattern is commonly used to deliver malicious payloads. No specific family could be identified due to the lack of script content or further indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000006d.bin
1a92b292910dca8836e356551faa036b9c9da4dfc996e3b7fe0baee9244f2696		 rtf-objdata-decoded RTF \objdata at offset 0x6D 1964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.