Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5b9c11d13a4248d5…

MALICIOUS

RTF / .DOC

11.2 KB First seen: 2023-07-06
MD5: b6bd074fb634b96031612f50685849f2 SHA-1: 61f4715dface3ab8d454d4c95a963273dc51be76 SHA-256: 5b9c11d13a4248d503ccb0f9838e24d7893c4439c6c03891a9462d91ebc066cc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated automatically upon opening, which is a common technique for exploiting vulnerabilities or delivering malicious payloads. The specific nature of the embedded object is not fully detailed, but its presence and automatic activation point towards a malicious intent.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d99.bin
6fdd06c097a63388543231579bea29e197c60b1e4265b8bde76a3c57e7908b82		 rtf-objdata-decoded RTF \objdata at offset 0x1D99 1893 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.