Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4d77c864d87b9dc6…

MALICIOUS

RTF / .DOC

91.2 KB
MD5: fff4a54d0e968f9793624d00ff85b170 SHA-1: 3b26a8f1d2e8a16085543227891915fd32b255af SHA-256: 4d77c864d87b9dc6317cb6580de33b34502e6d6c94b539dbbb0669109c0cca52
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data which is configured to automatically update and activate. This suggests the file is designed to exploit OLE vulnerabilities or to automatically execute embedded code upon opening. The presence of RTF_OBJDATA, RTF_OBJAUTLINK, and RTF_OBJUPDATE heuristics strongly indicates a malicious intent to leverage OLE automation for payload delivery.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c40.bin
114bbf459b96fa0540ba10c9462da50dfad2c0cdce16904c27893b31cd4eb9f6		 rtf-objdata-decoded RTF \objdata at offset 0x1C40 4166 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.