Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fce96ae799d511d6…

MALICIOUS

RTF / .DOC

52.8 KB First seen: 2023-10-23
MD5: cab325ac5de55e2f623564f8fb13f738 SHA-1: 79e71eb7a01659c3f15f1e5d11ce368c53e3554d SHA-256: fce96ae799d511d622016225fb2149d4d6d637c9e7dcb5554c3bd7e9839a3d8d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to embed and automatically activate external content. While no specific script or URL was extracted, this technique is commonly used to deliver malicious payloads. The presence of OLE object data suggests a potential for exploiting vulnerabilities or executing embedded code.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ffc.bin
eabdf3f11eef65e896b06b7fbc3e58cd32d516b077f85729c94fc442e0590bd0		 rtf-objdata-decoded RTF \objdata at offset 0x1FFC 3674 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.