Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b294272d3a3126f7…

MALICIOUS

RTF / .DOC

8.0 KB First seen: 2022-05-31
MD5: 167f0218076d190c33f77e5a45d70255 SHA-1: 0f3d1c505b4f36ef8523b23e6bafbc49a81bd8f6 SHA-256: b294272d3a3126f71050f79f1684aaa7461b230d2e66a53fee268c14839ec366
121 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to embed and activate external content. While no specific script was extracted, the presence of OLE objects strongly suggests an attempt to deliver a secondary payload. The confidence is moderate due to the lack of directly executable script content.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000088f.bin
5d5462e2d9d7ab036e285cd48331815ce646c154b4dda607d212f7bc0d684741		 rtf-objdata-decoded RTF \objdata at offset 0x88F 1867 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.