Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 68b6c810be185466…

MALICIOUS

RTF / .DOC

3.7 KB First seen: 2022-12-02
MD5: 73e90b8ab794140d531074ce5fbae281 SHA-1: 8339de2af1ae803455af991acbf8694e5c060153 SHA-256: 68b6c810be1854669614d9a1c371146ad2283ea737cd06ccbce96672bd559002
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be activated automatically upon opening, likely triggering an exploit. While no specific exploit is identified, the presence of these indicators points to a malicious document designed to leverage OLE object vulnerabilities.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007b.bin
e9b62b0d97d911099f69d56417b119dfff83846071e12a285caa9484faeae676		 rtf-objdata-decoded RTF \objdata at offset 0x7B 1770 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.