Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7b5b1011379a1989…

MALICIOUS

RTF / .DOC

4.0 KB First seen: 2023-06-19
MD5: 8052338c82b56e0a63a1907bb12cdead SHA-1: 005f42668a4dcf9ae96edb821788d7f4049ef587 SHA-256: 7b5b1011379a1989001c46d67841937f12784d7be44c1c2cf851a72b9a135256
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, triggered by \objupdate, indicating an attempt to exploit a vulnerability upon opening. The presence of \objdata further confirms the embedding of executable content. While no specific script or payload was directly extracted, the heuristics strongly suggest a malicious RTF exploiting OLE object activation to achieve arbitrary code execution.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000008f.bin
6b9cbfe1e3f597c36ceed70b987312262af114e832601823cd0e8b087de0672f		 rtf-objdata-decoded RTF \objdata at offset 0x8F 1930 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.