Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d89e71df4437ba85…

MALICIOUS

RTF / .DOC

203.9 KB First seen: 2023-06-15
MD5: 8cf42d3eb21641441e3af2c727df5466 SHA-1: ced89b0ffa1baff676088c4f9c3359c9cd43ee60 SHA-256: d89e71df4437ba858bf05cfadd777e8e3b86bff726d76acccc1637622e73e479
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model T1059.001 PowerShell

The RTF document contains OLE object data and triggers OLE activation via \objupdate, indicating an attempt to exploit OLE vulnerabilities. The embedded OLE object, objdata_00_off0000067b.bin, is likely a malicious payload. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000067b.bin
b80cc8253f7e33227761448572914462747d897517dac50ded8dba8f29a6e6cc		 rtf-objdata-decoded RTF \objdata at offset 0x67B 853 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.