Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 197cf9424d11d6de…

MALICIOUS

RTF / .DOC

9.9 KB First seen: 2023-04-25
MD5: a80228af41ee12ecd23f8fec93b11bc6 SHA-1: ab031f97b5fa39b675a0969e1c50ebd2f0f82289 SHA-256: 197cf9424d11d6de07b4cb5b2aff7abaedd8b21774dd8e3273e7cd141aadbc4c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. This technique is commonly used to deliver malicious payloads, often via spearphishing attachments. No specific family could be identified, and no further IOCs were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000174a.bin
a7ebf6d9b1c71b987cce0a426e1d5718f4a80ba02a516698805ae47104a7a400		 rtf-objdata-decoded RTF \objdata at offset 0x174A 2070 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.