Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 30fe24940708e058…

MALICIOUS

RTF / .DOC

484.6 KB Created: 2019-05-29 22:49:00
MD5: 4b36d94807c5e5c7013a54a405d8ba64 SHA-1: 7ee56908ec1859b7d65bdfeece94b981d6d75381 SHA-256: 30fe24940708e05805161b6c2da8c069d0e6f9c30f09012309e32d9926279de1
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing multiple OLE objects, triggered by \objupdate directives. This indicates an attempt to exploit vulnerabilities related to OLE object activation within RTF parsers. While no specific payload or script was directly extracted, the presence of these embedded objects strongly suggests the document is designed to download and execute a secondary malicious payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cdc.bin
4dfd6fd1710adb7847e05a8504960445ab6ca66b978559cec639610d378a45f6		 rtf-objdata-decoded RTF \objdata at offset 0x2CDC 16955 bytes
objdata_01_off00010ac3.bin
a9046468b425bd2975bffcf231da7facda8b8c4e11974e2b73f7249d14049fb5		 rtf-objdata-decoded RTF \objdata at offset 0x10AC3 16955 bytes
objdata_02_off0001e8aa.bin
f798c14dc7ff395b2ace6f5e9f270bb807c8249056d56a2f3384ef155c5a326b		 rtf-objdata-decoded RTF \objdata at offset 0x1E8AA 16955 bytes
objdata_03_off0002c691.bin
9f16628e1acedd16d5fe34c78e68561568922dd6861afed39d5ce23c3a88c1bf		 rtf-objdata-decoded RTF \objdata at offset 0x2C691 16955 bytes
objdata_04_off0003a478.bin
6f7a8e2c1488f682cc3865e4d738d95a231ed169ad005e2627708e024458bd5e		 rtf-objdata-decoded RTF \objdata at offset 0x3A478 16955 bytes
objdata_05_off0004825f.bin
26cf19589f9b62d8aa0830505a2861169bf87eae07c66a9e65d72705ea0f7abf		 rtf-objdata-decoded RTF \objdata at offset 0x4825F 16955 bytes
objdata_06_off00056046.bin
29fd80e5e9cc3548aceb724677fb92f92a52ae334571880c1210d33e958b7543		 rtf-objdata-decoded RTF \objdata at offset 0x56046 16955 bytes
objdata_07_off00063e2d.bin
ea0a524b73155827e3d5949b50c2bb84fa9649285b66d4624133b8cc5ef4bf9c		 rtf-objdata-decoded RTF \objdata at offset 0x63E2D 16955 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.