Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8af2e65975a1cf95…

MALICIOUS

RTF / .DOC

472.2 KB First seen: 2023-08-29
MD5: b5c43ecb78283e51b8c643b3d3b158f4 SHA-1: 722df4b0ef8cc2dceba0db6af16b92c9142b7c26 SHA-256: 8af2e65975a1cf9571a9cf2dc01b394d3b88f9ab0736c019b8d26af2a66cedd4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and a \objupdate directive, indicating an attempt to exploit OLE activation for malicious purposes. The embedded OLE object, decoded from objdata, is the primary indicator of compromise. Without further script analysis or document body content, the exact payload and delivery mechanism remain unclear, leading to an unknown family classification.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000016c9.bin
58e9c79d6f31d171b8324bbc61cab5e3112abeebfdbefd1e021d643a77fe8878		 rtf-objdata-decoded RTF \objdata at offset 0x16C9 1898 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.