Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 95e78a884133a9c9…

MALICIOUS

RTF / .DOC

7.9 KB First seen: 2022-05-04
MD5: 12e2eb401f0fd930baaca5f4ad2e5ad3 SHA-1: 40128c489614afe8b60ff9a413214967b8bf5a21 SHA-256: 95e78a884133a9c9a5715ae413a28097188d391c2f67b18358c7f7567dd17841
121 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation mechanisms. This suggests the file is designed to deliver a payload, likely through embedded objects. The presence of a SHA256 hash further supports its identification as a distinct malicious artifact. No scripts were extracted, limiting the ability to determine the exact payload or delivery method.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000733.bin
c14b2a77d5a0ef04d50a0542a1050bbf14eeda24fc42d28535f757cf6d14b00f		 rtf-objdata-decoded RTF \objdata at offset 0x733 2109 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.