Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d3c0f2d8463273c1…

MALICIOUS

RTF / .DOC

24.9 KB First seen: 2022-12-30
MD5: 1bb37a2edaf18da5d25ccff6e1ecab6d SHA-1: 69f556557d375838d3a3a0391f2841ab711aa72c SHA-256: d3c0f2d8463273c1c24c314f8a0fc77463f353540e961da83d14ca6450cae0c2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1187 Exploitation for Client Execution

The RTF document contains OLE object data and triggers an OLE activation heuristic, indicating an attempt to exploit embedded objects. The document body presents itself as a marketing assignment, likely a lure to encourage the user to enable editing and trigger the malicious OLE object. The SHA256 hash is included as a primary IOC.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000577d.bin
597f928b6131d9bb3d6b77c7e508827fa9f98661c2ff356c3f17d9b87ab157c4		 rtf-objdata-decoded RTF \objdata at offset 0x577D 1483 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.