Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 1ed55fdd83322eda…

MALICIOUS

RTF / .DOC

9.3 KB First seen: 2022-05-30
MD5: b948c72c6c7f43d24dc3bff4c8e04e24 SHA-1: a453a02942462502b5f7872c88dd9885c5b027b7 SHA-256: 1ed55fdd83322eda737ccc34b8ca5d2c98677feba34da1ba67089e9e20b5f139
117 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be activated automatically, likely exploiting a vulnerability to execute code. The document body is heavily obfuscated and does not provide clear intent, but the presence of the OLE object strongly suggests an exploit attempt.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001745.bin
3f60f90c2ba91c0153b34aaeb855203e903ad014d91f14279a757f15c0864a26		 rtf-objdata-decoded RTF \objdata at offset 0x1745 1737 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.