Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0cbbff11083502be…

MALICIOUS

RTF / .DOC

24.6 KB
MD5: ba089442abb4e0532d90c7827c0e9514 SHA-1: 30fa861b43bc3a6f6bed9820acc3e5a5db775e89 SHA-256: 0cbbff11083502be68d0b5680fa13923b6cc76bad3d7f27c5dc4291cf4a84dea
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. This suggests the file is designed to deliver a malicious payload when opened. The specific exploit mechanism is not fully detailed, but the presence of OLE objects points towards client-side exploitation.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ff8.bin
f3bb809a5a88e22b38d67d174b3425bf5dff52aa7b6832c53e1691cfc7838613		 rtf-objdata-decoded RTF \objdata at offset 0x1FF8 1949 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.