Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 14ee6f1d9147d7ff…

MALICIOUS

RTF / .DOC

81.1 KB
MD5: 39e45c72c44ce713bca131643208aa40 SHA-1: 65670689575be208452cdc6cfed84a4d8f823c8b SHA-256: 14ee6f1d9147d7ffc7f76c46bf4efdba29e1c1cb872be3e195af4876688c0d30
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and triggers an OLE activation via \objupdate, suggesting it is designed to execute embedded content. The specific nature of the OLE object and its payload could not be determined from the provided heuristics and truncated document body. Therefore, the exact attack pattern and family remain uncertain.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000206f.bin
b99fe8f0f1720e254ab5a3cd23206d7da5199ff9ee3f8525b1470a22f9e843f3		 rtf-objdata-decoded RTF \objdata at offset 0x206F 4225 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.