RTF / .DOC malware analysis — malicious · 8e8371e83608c994

MALICIOUS

RTF / .DOC

3.9 KB First seen: 2023-04-06

MD5: 8bab679e70a2d7fbc2dc7f7264b303fd SHA-1: 0f2430ed2fdf689aa4a14034777b74b32a0f5d34 SHA-256: 8e8371e83608c994f3708abfb2746770665f1aa84bdb7322544b2fac7c7f01fa

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE object activation. This is a common technique for delivering malicious payloads disguised as standard documents. No specific family could be identified from the available heuristics.

Heuristics 2

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000081.bin` `ef7aa9475061f0416359b683c2c69ad2cfd275c1be06d906e63a085d14561103`	rtf-objdata-decoded	RTF \objdata at offset 0x81	1872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.