Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 47c2c5a0694c4a6a…

MALICIOUS

RTF / .DOC

18.3 KB
MD5: ca2a888a0eb3a8e12e9c8c9a1636501e SHA-1: ef718a9941035bf855374aa3c65b8354313f29d6 SHA-256: 47c2c5a0694c4a6a704665f731d9960acb87c0dcfd03b7e41af822bfaf8b94e8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit embedded objects. The document body is heavily obfuscated and does not provide clear intent. No scripts were extracted from this sample. The primary attack vector appears to be leveraging OLE object vulnerabilities.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bd1.bin
017b36f4659f1c5ad641711bb894a755c1487121aa3799c282dedba7a45df2cc		 rtf-objdata-decoded RTF \objdata at offset 0x1BD1 1532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.