Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b3279050d6b5fee9…

MALICIOUS

RTF / .DOC

206.1 KB First seen: 2023-10-01
MD5: 96cd472e7ce09e4dcde4e4e2623587b7 SHA-1: 500653f103dda92d7d0aded3b8152963343fbe12 SHA-256: b3279050d6b5fee9c5660c3d98c0d6dead4c7f6ca150bebc257d054424bd6e79
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to automatically activate embedded objects. This is a common technique used to deliver malicious payloads, often through social engineering lures within the document body, though the body content here is unreadable. The heuristics strongly suggest an exploit attempt.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001dd3.bin
b2b334f82145a7baf1e21a080932d4098d82e88088e1c28347667514975b970b		 rtf-objdata-decoded RTF \objdata at offset 0x1DD3 1423 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.