Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d5106e1f72672ff8…

MALICIOUS

RTF / .DOC

3.5 KB First seen: 2023-03-01
MD5: 4d22ba412896ef7438830b4e2dd48245 SHA-1: f6606308e6f1cca377a2db7fd1cc615f2a1ceee9 SHA-256: d5106e1f72672ff88d084d4514d9a9882b2bf011cc2cc527fdc8b5642c894a81
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to trigger the execution of embedded content. This is a common technique for delivering malicious payloads via document files. The specific exploit targeted is not detailed, but the presence of OLE object data strongly suggests an exploit leveraging that mechanism.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000079.bin
629b9c6c2d5ff29de0d3acbc7c755de56aa4fa54a851a78983681eb3b787e593		 rtf-objdata-decoded RTF \objdata at offset 0x79 1681 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.