Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 198904552013a618…

MALICIOUS

RTF / .DOC

6.2 KB First seen: 2023-05-17
MD5: 248bceaee55232a93148c93dea5f2f34 SHA-1: 874874ace1abc219e9ed8fddfb579c6c583d82ae SHA-256: 198904552013a6189a0186f04fa54710ecd7ab797c02e5d0018d892fae6b8f98
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. This suggests the file is designed to trigger code execution when opened, likely leading to a secondary payload. No specific family could be identified.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000009d1.bin
cf3db214b6c7564e8bee810b79701f6f21adbc131d07fc54a42c47ad46e7d226		 rtf-objdata-decoded RTF \objdata at offset 0x9D1 1861 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.