Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0f9dd9740b6c6ce0…

MALICIOUS

RTF / .DOC

165.5 KB
MD5: 3111c2e791cd71ee989c47e3713771f6 SHA-1: 7bea74205268c245020d7b9aa7a3792292e2909f SHA-256: 0f9dd9740b6c6ce0ef8b4d756abb7494d35da16af767dc58eae91af43313cb3a
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains heuristics indicating the use of OLE objects with automatic linking and update features. This suggests an attempt to exploit vulnerabilities or execute embedded code when the document is opened. The presence of ".bin" file with objdata further supports the malicious intent. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, hence the confidence is not higher.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001717.bin
796b48c04a33e3269f89b9fc8a81dfe382fe76a5220b14994d6a13f59ac23620		 rtf-objdata-decoded RTF \objdata at offset 0x1717 4695 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.