Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0a647244f44effee…

MALICIOUS

RTF / .DOC

9.7 KB
MD5: 189f72db40724e802b8ffecb1a25a2b6 SHA-1: 5bf3d82dd08de663d789db4d5ef081e0b36af039 SHA-256: 0a647244f44effeedb546dc88ca3e4bb8b350c5707fa4b755903d2e2d3c42881
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic firing at offset 0x11E8 suggests that these objects are intended to be activated automatically upon opening the document. This points to an exploitation attempt to gain client execution, likely delivered via spearphishing.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000121f.bin
ca54c010dd7e6bffab129e3bbfe8ac5c1c3d073d93706d8cad95b46757e14734		 rtf-objdata-decoded RTF \objdata at offset 0x121F 1704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.