Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5dcef89af0d66555…

MALICIOUS

RTF / .DOC

4.5 KB First seen: 2023-01-12
MD5: dc2c468bffc5761027b5c9c3f473d64e SHA-1: 3a776e35046a1a386654fa62d0a82f41d454aaa9 SHA-256: 5dcef89af0d66555b7a0389ff4f94a919fd0bc4e329abdc0a7e88a5c46d61af0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and triggers an OLE activation via \objupdate, indicating an attempt to execute embedded content. While no specific payload or URL was directly extracted, the presence of OLE object data strongly suggests a mechanism for delivering and executing a secondary stage. The lack of readable document body text or scripts limits further analysis of the specific lure.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007a0.bin
fd9453b1ee9221bbab108a3c980d1f230f8c7e3cd9b7521d6e489cd5454887c2		 rtf-objdata-decoded RTF \objdata at offset 0x7A0 1296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.