Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9ed706fb98077fee…

MALICIOUS

RTF / .DOC

6.4 KB First seen: 2023-01-24
MD5: 52d99e1ec282e2221710c1e50ce68234 SHA-1: c0405b2fc56faf8d37ac349df7eac2138f956bae SHA-256: 9ed706fb98077feeacc9d4576aaf78cc3ddab7921c43ca1821db0a77923d08a6
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.001 PowerShell

The sample is an RTF document containing OLE object data and triggering an \objupdate event, indicating it's designed to exploit OLE vulnerabilities for code execution. This technique is commonly used to download and execute further malicious content. No document body or script content was available for analysis, limiting the ability to identify specific lures or payloads.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a58.bin
8d5bf32148bfc649223b4774b8a4a34be9696e738082df71f1a30c52c60cefc3		 rtf-objdata-decoded RTF \objdata at offset 0xA58 1879 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.