Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2a7064ef86916204…

MALICIOUS

RTF / .DOC

17.5 KB
MD5: 425d5792de1773f0064fad9e9e2b4a73 SHA-1: d2a98cd1d3cf83dc49a786484170ff57a4379d07 SHA-256: 2a7064ef86916204f66da8f701a5ba979b0ea97a6a9ee4c6b955527a3cd4af21
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and triggers an \objupdate event, indicating an attempt to exploit OLE activation. This is a common technique for delivering malicious payloads, often used in phishing attacks to trick users into opening documents that then execute further stages. The specific exploit mechanism is not fully detailed, but the presence of \objdata and \objupdate strongly suggests an attempt to leverage embedded objects for code execution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000df7.bin
90eb4e5727c1aecd1223d1d32526d9852cd7a01f6153a22d28a7d5842686afa3		 rtf-objdata-decoded RTF \objdata at offset 0xDF7 1896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.