Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f9dac526b2d0f6cf…

MALICIOUS

RTF / .DOC

172.8 KB First seen: 2023-07-20
MD5: 95c4644a9510d4a4d16bef660f1f7340 SHA-1: 28213fbdcd19173f3502c7624a4f4d2ae557df17 SHA-256: f9dac526b2d0f6cfe8b6ed9ff98616adf87946f289ce4cbab9a3745596706ff0
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The sample is an RTF document containing embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the document is designed to exploit OLE vulnerabilities or features to execute embedded code. The presence of an embedded OLE object, decoded from objdata, strongly implies an attempt to deliver a secondary payload or exploit. Without further script analysis or network indicators, the exact family and final payload remain undetermined.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001083.bin
275864dc43697ae71e4ec719b22761868dec27801e0c56f2b2b35366483bf8ea		 rtf-objdata-decoded RTF \objdata at offset 0x1083 55329 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.