Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 161c19241ddafd72…

MALICIOUS

RTF / .DOC

144.1 KB
MD5: 168e2fa04e53f90c0d627a1c69895c18 SHA-1: 7fddab8e3bd14361b4863af707042ee3aee6b431 SHA-256: 161c19241ddafd727fcbb633016ae5032481b68032bd0103f174d2e7bbecc0d4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. This is a common technique for delivering secondary payloads. While no specific family is identified, the method strongly suggests a malicious document intended for initial compromise via spearphishing.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ac3.bin
3554e7acb87db80ce4593bc997714d4e9ec5a2da1ebd16f3c2a107e4e783fee1		 rtf-objdata-decoded RTF \objdata at offset 0x1AC3 1360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.