Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0b69316571c9fd42…

MALICIOUS

RTF / .DOC

8.7 KB
MD5: 2d0c851590d20271d6cf7e3d92f4fa63 SHA-1: 87222235f447bdcadca45d574c2139b1f90bc551 SHA-256: 0b69316571c9fd42f17c42034f77d38dc32f1d11f1c25420a3ab7b3baa322215
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. This suggests the file is designed to download and execute a secondary payload. The specific exploit and payload are not directly identifiable from the provided evidence, leading to an unknown family classification.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001121.bin
cb29d65367185a69f57a0c2b6393e4b6cd5f050bd35dd63fab235c0c6cd20cb3		 rtf-objdata-decoded RTF \objdata at offset 0x1121 1748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.