Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 079b957158fa4e3c…

MALICIOUS

RTF / .DOC

9.4 KB
MD5: 5f55db88ca34d03ef4535bb0948ad078 SHA-1: 2d384958be0db0de84333347c1e4119e71ca7ef4 SHA-256: 079b957158fa4e3cfe9b6dff685bee440c44357b419e78e96f67c1bb87be6f39
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object handling for code execution. This is a common method for delivering malicious payloads via spearphishing attachments. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b47.bin
83b889e16fd53cf59868e32befe77ebe31bb991ab1f5732e40f6eae340e56ed7		 rtf-objdata-decoded RTF \objdata at offset 0xB47 1591 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.