Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2b7693078391c8a7…

MALICIOUS

RTF / .DOC

77.6 KB
MD5: cac71c76836180f63094b0bd89864114 SHA-1: 7358b532f5f54a05db4d98b6424ef69941576b6c SHA-256: 2b7693078391c8a7cc03383527fd9983a5a028b33edfd84c1d5b3ac9416ff262
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, and a heuristic indicates that \objupdate forces OLE activation. This suggests the document is designed to exploit a vulnerability in how OLE objects are handled, likely leading to arbitrary code execution. No specific family could be identified, and no document body or script content was available for further analysis.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001862.bin
d3a1d464920eb26c5d0ed186067e53b14a0a06474bd0048e36450f6961468d9d		 rtf-objdata-decoded RTF \objdata at offset 0x1862 4182 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.