Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4db68e0e483038f2…

MALICIOUS

RTF / .DOC

9.5 KB First seen: 2022-05-19
MD5: b91be3e6958ddfa2174006843b64ed64 SHA-1: 4da1a22604313819f37e5c198da70e5ace6eec15 SHA-256: 4db68e0e483038f23b71639d1d0bdb42f5325951c48386940d60c807d50620b1
121 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated automatically, which is a common technique for exploiting vulnerabilities in document processing applications. The presence of OLE object data strongly implies an attempt to leverage embedded exploits or malicious content. While no specific script was extracted, the structure points towards a malicious OLE object designed to execute code or download further stages.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001011.bin
471bc3751257476dff46eceeb7ed7d16dd532ca9f57940fc2eb53cd05c4fb0fb		 rtf-objdata-decoded RTF \objdata at offset 0x1011 1977 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.