Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 17006bd37d12936d…

MALICIOUS

RTF / .DOC

19.8 KB
MD5: dffeacd6b2dc4266c6490c434231a437 SHA-1: 3f847a57bf10a4fdc2ebfec0db6e15926c8129a8 SHA-256: 17006bd37d12936dc8e03680d5de70a6d269f17ad0eec11d4b268a17563fdb5e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. The specific exploit mechanism is not fully detailed, but the presence of these elements strongly suggests a client-side exploitation attempt, likely delivered as a spearphishing attachment. No further IOCs were extracted from the limited document body.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018a6.bin
5c573754e8dc5cb71fba225547e577bf204eea228ac8c60a7818c7007e0b1afc		 rtf-objdata-decoded RTF \objdata at offset 0x18A6 1518 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.