Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2ce1ce0ff8f63f9f…

MALICIOUS

RTF / .DOC

189.9 KB
MD5: d2defda859d008199e0318a96e1295e9 SHA-1: 4665208ed89015fd5d0d7704a2e2683ae2986e4a SHA-256: 2ce1ce0ff8f63f9fefb0a0fdbe0d725eb60c7ca8350b4ba7fbae2773211e641b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and is configured to automatically update and activate these objects, indicating an attempt to exploit OLE vulnerabilities. The presence of RTF_OBJDATA, RTF_OBJAUTLINK, and RTF_OBJUPDATE heuristics strongly suggests that the document is designed to embed and execute malicious code via OLE objects. The document body is heavily obfuscated and does not provide clear textual clues about its intent, but the heuristics point towards a malicious OLE activation. No scripts were extracted from this sample.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000bf3.bin
d8d9df45ddb75423ee5f66ae2f98f8d003fc25ef3955f5f97eae92b8e86b7689		 rtf-objdata-decoded RTF \objdata at offset 0xBF3 1801 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.