Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8f2b653445ef87c5…

MALICIOUS

RTF / .DOC

12.0 KB First seen: 2022-04-21
MD5: c69def620e0dc4d8735836fbefec2de1 SHA-1: b73c71b124748307644a2d6dbc5fcc28bb21452a SHA-256: 8f2b653445ef87c5486b1520960a982fa38e662aa773b2d9e4dad851c0ec6656
121 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF document contains OLE object data and uses an \objupdate directive to force activation. This suggests the document is designed to exploit vulnerabilities or trick the user into activating embedded objects, which is a common delivery mechanism for malware. The specific nature of the payload could not be determined due to the lack of executable scripts or further details in the document body.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001faf.bin
69dd623b1cafcde4bb650ab5d50d84ebe9551b98459e217948d3fa0c3a60195f		 rtf-objdata-decoded RTF \objdata at offset 0x1FAF 1302 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.