Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4ab2e4e7bedf0c9d…

MALICIOUS

RTF / .DOC

3.6 KB First seen: 2022-11-23
MD5: f2895405298e38600e2b20975265f5ac SHA-1: cad3fabeb6bb0a9aab741f43652d1c0108a48391 SHA-256: 4ab2e4e7bedf0c9def67194cb6c7593e99ccd99e326c3904f49be5eb0ae04f53
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to trigger OLE object activation. This is a common technique for exploiting vulnerabilities to execute arbitrary code. The specific exploit targeted is not immediately clear from the provided heuristics, but the intent is to leverage embedded objects for malicious execution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000079.bin
f2835b2330d03b941c0962eb68c12c75cb89ace219009674f12c954d0807d673		 rtf-objdata-decoded RTF \objdata at offset 0x79 1744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.