Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bbe10b8d55fd2486…

MALICIOUS

RTF / .DOC

345.0 KB First seen: 2023-09-20
MD5: 987971ef05bbf3bee0e5f0548cb53b64 SHA-1: 8b961e75ab5fd688da06b1ade6ea1d2ed82fc3df SHA-256: bbe10b8d55fd248651e7d483e82426fda7c4e2799461065d734858362e4bada8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing embedded OLE objects, triggered by \objupdate directives. This suggests an attempt to exploit OLE vulnerabilities or trick the user into activating embedded content. The document body is heavily obfuscated and does not provide clear textual lures. No scripts were extracted, and no specific IOCs like URLs or hashes were identified in the static analysis.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b6d.bin
8fb03b6ff69fc607c338adfc832ccb893331ad6cfc3733044cde26611cafc11a		 rtf-objdata-decoded RTF \objdata at offset 0x1B6D 2003 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.