Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 88a30998e16685f7…

MALICIOUS

RTF / .DOC

3.4 KB First seen: 2023-06-20
MD5: 674ffa56c80f33cb36302433870f8865 SHA-1: 0f77d9c8c21653978fd9ea5f94484ebc6cceae08 SHA-256: 88a30998e16685f778e1f9b61c5513bdaf30f0582c0c1ad276e155b570f96fd8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to exploit vulnerabilities related to OLE object activation. This technique is commonly used to deliver malicious payloads, often via spearphishing attachments. The specific exploit targeted is not detailed by the heuristics, but the mechanism is clear.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000087.bin
f1325c5fe0a4d302655eafe412a81fd6c749c163e65c05cc2db1015805b18151		 rtf-objdata-decoded RTF \objdata at offset 0x87 1645 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.