Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 432e0271b03dc444…

MALICIOUS

RTF / .DOC

95.7 KB
MD5: 0504ad342c1632cf221b1c9978fc6a95 SHA-1: 37d9cc6fb91085b3459a061b594bba0d213846d1 SHA-256: 432e0271b03dc444f267d927330b6593a3a20a62243f9825b46e6c72b4f623ca
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains embedded OLE objects, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE and RTF_OBJAUTLINK heuristics suggest that these OLE objects are automatically activated upon opening the document, a common technique for exploiting vulnerabilities or launching embedded payloads. No document body text or scripts were extracted, limiting further analysis of the specific payload or lure. The confidence is moderate due to the lack of explicit payload details.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000626.bin
3ae121f0b8c2a5180901812b9377195bf3b4e6e9ba321bc93e9d94feaa257758		 rtf-objdata-decoded RTF \objdata at offset 0x626 1678 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.