Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2ccdcc5ccc19bbf6…

MALICIOUS

RTF / .DOC

64.0 KB Authoring application: Msftedit 5.41.15.1515
MD5: d780163153d1a29e8bceb43dfc2c6742 SHA-1: d279e2bee119fe45763de6a5dec3fa02583e1f62 SHA-256: 2ccdcc5ccc19bbf66d7e9e1442ae46e4d3e57087c1fc5be404ba6a4285853c09
140 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF document contains embedded OLE object data, specifically a Package object, which is a known technique for delivering malicious payloads. The critical heuristic firing RTF_MZ_HEX indicates the presence of a PE header within the RTF's hex data, pointing to an embedded executable. The extracted data reveals a path 'C:\backuped.exe' and a filename '3.ico', suggesting the embedded PE is disguised as an icon file but intended to be executed. The embedded PE itself is likely the payload, and the RTF serves as the initial delivery vector.

Heuristics 4

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000cf.bin
eef14bc847514f204a9fe8f9d445da403ff10d335954bae1d7afa44e02dd721d		 rtf-objdata-decoded RTF \objdata at offset 0xCF 31841 bytes
embedded_rtf_000001e8.exe
fd916be5c37f3d3be27f0ab687af5359e93579d05ee1a8a34f044dcecd35b2c6		 embedded-pe RTF hex-encoded MZ at offset 0x1E8 31711 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.