Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4585805da6365220…

MALICIOUS

RTF / .DOC

5.5 KB First seen: 2023-01-20
MD5: 4c1bc196dd4f9e4a4f2e605ea157808f SHA-1: fd592e844e9cc61ce44b6cfc798d3556cea76f64 SHA-256: 4585805da6365220a4e584b46c92e68a9684c026bb93fd5ba5494ffa40847864
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to embed and automatically activate external content. This is a common technique for delivering malicious payloads. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000009a8.bin
e930b2fd2a21c799fd2cec6f814f63a57e098b92fa7cb6a840987082680276a9		 rtf-objdata-decoded RTF \objdata at offset 0x9A8 1537 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.