Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 443ffe0efb43ac5c…

MALICIOUS

RTF / .DOC

13.4 KB
MD5: 5be61511dab1f4f76366f52ca8fec8b1 SHA-1: 70a6dd35d6da873242e3c56ff86f000c78614a1f SHA-256: 443ffe0efb43ac5c04e23e749b2908a8e723462f409208e0f4cf35046e3b129d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, indicated by RTF_OBJDATA firings. High severity heuristics RTF_OBJAUTLINK and RTF_OBJUPDATE suggest that these objects are automatically linked and their activation is forced, which is a common technique for exploiting vulnerabilities or delivering malicious payloads. No document body or script content was available for further analysis, but the OLE object exploitation is the primary indicator of malicious intent.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000576.bin
c51c520cdf1a02bead5a831ed296ea763952863967979f1b558374bd76744f48		 rtf-objdata-decoded RTF \objdata at offset 0x576 2045 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.