Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a875d0ae637bfa5f…

MALICIOUS

RTF / .DOC

164.9 KB First seen: 2023-05-20
MD5: a090eeb3593243868aee20648fc9cd50 SHA-1: 9387c94cf3b7a06369521f7f3ba86aa63a92f117 SHA-256: a875d0ae637bfa5f0cb5cf732ffa877b877c3fb6acc200d5556e04ff976913f2
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF document contains OLE object data and triggers automatic updates, indicating an attempt to exploit OLE activation mechanisms. This suggests the file is designed to embed and execute malicious code upon opening, likely as a downloader for a second-stage payload. No specific family could be identified, and the document body was unreadable.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000600.bin
23ee2b4f6238d898227f7122599d44be7f1cc0846bb05da1ef5eff5969ac9d60		 rtf-objdata-decoded RTF \objdata at offset 0x600 48848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.