Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0c5b0b553aefcf64…

MALICIOUS

RTF / .DOC

102.9 KB
MD5: 2471f9a4d117c8c86f6cd2788be4ea73 SHA-1: f17282fce2f135f7044c53d91ed18995d13f0d7c SHA-256: 0c5b0b553aefcf64cf487b7f4c8813e1f4f11b7e86fb0acef0bbf18dc51da6bc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. This is a common technique for delivering malicious payloads, often distributed via spearphishing attachments. While no specific family is identified, the behavior suggests a downloader or dropper.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ef3.bin
0197f79a7d2cffdfb995285be2e2f7d2a19eab4232082768e029a75435e7f8f3		 rtf-objdata-decoded RTF \objdata at offset 0xEF3 1682 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.