Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2e7ba3c6ee5ecd6f…

MALICIOUS

RTF / .DOC

78.0 KB
MD5: f7ceaacdcc9ec0bd8fd0926b48ade0ec SHA-1: 949470843b30695078b6579bb0516deb5faefa51 SHA-256: 2e7ba3c6ee5ecd6f80962ba4af8693f6407b026d809bd74a26466f2d2cc7a51c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. This suggests the file is designed to leverage a vulnerability, likely to execute a malicious payload. No specific family could be identified due to the lack of further script or network indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001081.bin
7f97ef4451bf9dd218b458a1bb0a833e2cd947b8f5e29ee8a14b510ba0d4e0ff		 rtf-objdata-decoded RTF \objdata at offset 0x1081 4259 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.