Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 74e4bbfde10adc93…

MALICIOUS

RTF / .DOC

355.3 KB First seen: 2022-12-08
MD5: 7db9a4be8841b18a5ad4fe4f08abb563 SHA-1: e5fd57635e7a39c40012bc31a89f34154d236d49 SHA-256: 74e4bbfde10adc931865a828b72627ce4eed9e5ac491f1bcf6744546cfde7088
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The RTF file contains OLE object data and a specific trigger (".\objupdate") that forces OLE object activation. This suggests the file is designed to exploit OLE vulnerabilities to execute embedded code. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000114e.bin
c822f35831acfab29254850a6cf96b0d7fe00a09aca339206e70430117ac3daf		 rtf-objdata-decoded RTF \objdata at offset 0x114E 1651 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.