Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 41eb6e65027259be…

MALICIOUS

RTF / .DOC

88.6 KB
MD5: d2bc2fd82be067b1c9230b2fd1e58bb0 SHA-1: ca27fee4a23a6783f89b6f82218f7d05880de5c6 SHA-256: 41eb6e65027259beb38efa1942a52cbbd9f53f7b4e5a3161be40e4e630dca4e8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE object activation for code execution. This is a common technique for delivering malicious payloads via spearphishing attachments. No specific family could be identified due to the lack of further indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b4e.bin
361703dd2a0756f15d2a42c15219620918e441c6c461c03d63798f151c7a07d9		 rtf-objdata-decoded RTF \objdata at offset 0x1B4E 4282 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.