Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 13b8a0a606d2e7f0…

MALICIOUS

RTF / .DOC

197.7 KB
MD5: b310ff628e3e26403ccf2f53c98f44a8 SHA-1: a1f22aed0e9e7a1c1eb68accb4f1237d8a780781 SHA-256: 13b8a0a606d2e7f0ee999c9b83b54c3e73078c6f523cecb94f08b4d100884235
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE objects that are configured to activate automatically upon opening, indicated by the RTF_OBJUPDATE and RTF_OLE10NATIVE_STREAM heuristics. This mechanism is commonly used to execute embedded malicious code, suggesting the file is designed to exploit this behavior for initial execution. The specific OLE object data, objdata_00_off00000a04.bin, is the primary artifact of interest.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a04.bin
299cff9a13c56f0a0cd64fbca425a5a96dd965fd00afe3f9fe907c040a723eea		 rtf-objdata-decoded RTF \objdata at offset 0xA04 3643 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.