Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 aa0fa35c63a9122a…

MALICIOUS

RTF / .DOC

374.1 KB First seen: 2022-12-07
MD5: 8599176fbe269ac9e1edea07dea0573f SHA-1: 55d0e77ba3805204dc2a19e3bd2d3fb5eae5ffab SHA-256: aa0fa35c63a9122a12a52b1f495bc016a9ceec4cb54bce56b4c3bf93dc3db0e8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic at offset 0xE5D suggests that this OLE object is designed to be activated, likely leading to the execution of embedded malicious code. No document body or script content was available for further analysis, but the heuristics strongly indicate an exploit targeting OLE object activation.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c7c.bin
0e1b61d9326cf0a3c7cb9a44d934119a167a6c401acbcd791342311fac946c68		 rtf-objdata-decoded RTF \objdata at offset 0xC7C 1737 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.