Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 3f35d1ca73b97ac7…

MALICIOUS

RTF / .DOC

61.3 KB
MD5: ce6ad0312f7d3968202cd278bc07add4 SHA-1: 077a048ba9930e46b8e856d8c982654365f5b6ea SHA-256: 3f35d1ca73b97ac75cf087bfb94b43044630922fe80b4e5f47604ad305a292eb
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to activate embedded objects, which is a common technique for delivering malicious payloads. The presence of embedded OLE object data suggests an attempt to exploit vulnerabilities or execute arbitrary code upon opening. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c29.bin
2751fe86907b51f1cdb0319583dd0e94241cf466aad7f22a771ae733152b805f		 rtf-objdata-decoded RTF \objdata at offset 0x1C29 2070 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.