Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 23c39f782255d238…

MALICIOUS

RTF / .DOC

238.0 KB
MD5: 2448b7542a1103bfa7c593161e5e2ff8 SHA-1: 987c4b210532de885a1984a675e3a2e34e796696 SHA-256: 23c39f782255d238c190d9b2a006fe013bf13891a5411a2d2c3ad93d2ebf9178
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data and uses an \objupdate directive, indicating it's designed to trigger an exploit when opened. This likely leads to the execution of arbitrary code, characteristic of a malicious document dropper. No specific family is identifiable from the provided heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000062.bin
d7e3a6ae0b5cb9b8a50bccf1bebe8fa87796678ab78fb417818ef26f4caa23c6		 rtf-objdata-decoded RTF \objdata at offset 0x62 77814 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.