Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 dbb905b2daf5119b…

MALICIOUS

RTF / .DOC

17.9 KB First seen: 2022-07-07
MD5: 12def39948f10bc9066d9bd8776f11ae SHA-1: a0757a81c9f9d8d5ea90fc39f0b08a5f78f4240e SHA-256: dbb905b2daf5119b3516204cebc3bfef9a1cc82d396727d87be6e0f80f1ba48f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 User Execution: Malicious File T1027.001 Obfuscated Files or Information: Memory-only/RTF OLE

The sample is an RTF file containing embedded OLE objects (RTF_OBJDATA) and a directive to force OLE activation (RTF_OBJUPDATE). The presence of an Ole10Native stream with high entropy suggests an encrypted or obfuscated payload designed to be executed upon opening. The document body consists of randomized characters, which is typical of lures designed to bypass static analysis or hide the true nature of the document.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000009fb.bin
cb6a1373baaba4d34510f5adc306c711efea4145776ee2d872fcdc849db700ef		 rtf-objdata-decoded RTF \objdata at offset 0x9FB 3794 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.