Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a010ecddb0cf2eda…

MALICIOUS

RTF / .DOC

10.0 KB First seen: 2023-01-23
MD5: 73a1c07ad6996dca528809949908e150 SHA-1: c0a87a06e8ac1af154c2f3920a877a6c27153730 SHA-256: a010ecddb0cf2edaf3acb47b631f12d4e02b7c309b151ee69304deed188929fe
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE object activation vulnerabilities. This suggests the file is designed to deliver a malicious payload when opened. No specific malware family could be identified.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b75.bin
6cd3589d37ff5ab59aaefef42d80d2a2c3c4d1789a286c0df3f6d4bd80e011fd		 rtf-objdata-decoded RTF \objdata at offset 0x1B75 1555 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.