Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 57e70e4083075627…

MALICIOUS

RTF / .DOC

21.4 KB First seen: 2023-06-01
MD5: f18154ad38c526af21cafa86c6188011 SHA-1: 372e6424164efc6ab24248b98119eb784dcd3bed SHA-256: 57e70e40830756271f4ab7fb92bc9b7df138812ccb9ea8e8b281b9e3772fa77f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation mechanisms. This suggests the file is designed to trigger embedded malicious content upon opening, likely for initial access or payload delivery.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c70.bin
076d63b7e0dc0be3c117653a4f1c8faff7e69fa8db774616dbc918e2da2760f1		 rtf-objdata-decoded RTF \objdata at offset 0xC70 3667 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.