Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 290bc4c73c170e9b…

MALICIOUS

RTF / .DOC

77.9 KB
MD5: bb39d007539faef0165a09f244d8ad5c SHA-1: 578de4d912db2d3ef2d0ab785442e9ab5910d050 SHA-256: 290bc4c73c170e9b47b65652f6ba877e178452f7509d474d695518b235980963
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects, as indicated by the RTF_OBJDATA and RTF_OBJEMB heuristics. The RTF_OBJUPDATE heuristic suggests that these objects are designed to be activated automatically, likely leading to the execution of malicious code. The document body is heavily obfuscated and does not provide clear textual clues about the intended lure. Therefore, the primary attack vector appears to be leveraging RTF's object embedding capabilities for exploitation.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001386.bin
eba54c4c9e716a63275abf442b0371e23273b1ebe36c06aca64a17ee1916b93e		 rtf-objdata-decoded RTF \objdata at offset 0x1386 4254 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.