Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 95386d610198b976…

MALICIOUS

RTF / .DOC

3.4 KB First seen: 2023-06-13
MD5: 11d0b3560a016f8ebc453529f3a2ccf1 SHA-1: 20ca0dd5df903f3360f11fc449ab1694effe285e SHA-256: 95386d610198b97602ddebbcc2b82d447a833370ae707225e713d92011b0027c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be automatically activated upon opening, likely leading to the execution of malicious code. The specific exploit mechanism is not detailed, but the presence of these indicators points to a malicious document designed for exploitation.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000008b.bin
9335cb81d706feecf9de5f7edb75eaa0c515932372787f90ce690ef06bf58fa6		 rtf-objdata-decoded RTF \objdata at offset 0x8B 1657 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.