Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 3b8b47dcdff12eee…

MALICIOUS

RTF / .DOC

25.0 KB First seen: 2022-07-10
MD5: ed1f8846adb204450950eed4293bf866 SHA-1: e58b9ac4daae829f298caa5995e0f75b027cbd9c SHA-256: 3b8b47dcdff12eee7ce281f283201ca1b8f8ec7c2d6f92f0be08653faec368d0
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA and RTF_OLE10NATIVE_STREAM heuristics. The RTF_OBJUPDATE heuristic suggests that these embedded objects are designed to be activated automatically upon opening the document. This mechanism is commonly used to download and execute malicious payloads from external sources.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001753.bin
05c0e979925e2e9c00209aef259c36374d3490ff99ffc3b1a97773e04b2e7299		 rtf-objdata-decoded RTF \objdata at offset 0x1753 4784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.