Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 37deb0c041dabe99…

MALICIOUS

RTF / .DOC

254.6 KB
MD5: 29f7672e6a927d5b4d14d8c9f29e9786 SHA-1: 3ce748611c888eb7f676a1e87066565e1e4b67ae SHA-256: 37deb0c041dabe99248653f5b4eb440bd354eb9791cad1323d992ceecd446867
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and a \objupdate directive, strongly suggesting it's designed to exploit vulnerabilities related to embedded objects. This technique is commonly used to deliver secondary payloads. No document body text or scripts were extracted, limiting further analysis of the specific lure or payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001522.bin
08f513446d56977fbbc42452629b0cbc7f3ecaff83ab975e80261c731699e339		 rtf-objdata-decoded RTF \objdata at offset 0x1522 4194 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.