Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 49ad5c37af4babcc…

MALICIOUS

RTF / .DOC

23.6 KB First seen: 2023-06-01
MD5: 64d39883417401cc3d8ea3f76d4a9a50 SHA-1: 9d0b640920b4b0343772bc6c9d99942ee0addceb SHA-256: 49ad5c37af4babccff65ab341448e22b1e6392d3e20e7f59aff4f389f88faf12
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model T1204.002 Malicious File

The sample is an RTF document containing embedded OLE object data. Heuristics indicate that \objupdate is used, suggesting an attempt to activate the embedded object and potentially exploit a vulnerability. This points to an attack pattern leveraging OLE object manipulation for code execution.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c75.bin
dae78ef0be075f34e590b8e7b856a3c49b2da6737fa76124456e448038571e8a		 rtf-objdata-decoded RTF \objdata at offset 0xC75 4171 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.