RTF / .DOC malware analysis — malicious · eb7727bfde7cb4f5

MALICIOUS

RTF / .DOC

5.9 KB First seen: 2022-10-20

MD5: c4cd8549dfd84e2f727e2e82872a4d0a SHA-1: 3b3297ad39f2f5a74ce83e6fc80a402b639f20e9 SHA-256: eb7727bfde7cb4f5bb019feac7edced1261ed1314a37b7dcde7a32a55917f189

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an OLE object with ".objdata" and ".objupdate" sections, indicating an attempt to exploit OLE object activation. This technique is commonly used to deliver and execute malicious payloads. No specific family could be identified from the available heuristics.

Heuristics 2

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000007a.bin` `d4040445d80399a7ec14ec56a8e39bc370a65dab289b542f72c8b7f2f5152ae0`	rtf-objdata-decoded	RTF \objdata at offset 0x7A	2751 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.