Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 cf1c03b04b985361…

MALICIOUS

RTF / .DOC

12.3 KB First seen: 2023-05-30
MD5: 024a0b20a257ac9fc5b103613eec94ea SHA-1: b28ba4fceb8f22eec44e5051929037dd8a3dc1df SHA-256: cf1c03b04b985361052604a32a628e8dfdc380dbb45e9c3337cfa793d5ea1b1b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, and a heuristic indicates that \objupdate forces OLE activation. This suggests an attempt to exploit a vulnerability related to OLE object handling, likely for arbitrary code execution. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or delivery mechanism.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001e26.bin
775994da989cbf6ca620abb5994f463a95ca8c2049ee0e5110637fc8922bf488		 rtf-objdata-decoded RTF \objdata at offset 0x1E26 2395 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.