Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 51c5e5d834a210b7…

MALICIOUS

RTF / .DOC

222.1 KB
MD5: 256bf9a0cdfb8f2d42aca46420a6410e SHA-1: 925a30b53d38acc6838322c469296c2d8a25a749 SHA-256: 51c5e5d834a210b7f9f8286640690ff08835156e1d0c879314a23bb16da1827a
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1137.003 DLL Side-Loading

The file is an RTF document containing embedded OLE object data, which is automatically linked and updated. This suggests an attempt to exploit OLE object vulnerabilities to execute code or download additional malicious content. The specific OLE object activation mechanisms are high-confidence indicators of malicious intent.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001650.bin
591de0ec144c62fc735fad74bea7896d002e77669e77e1e731d933cfd80ff041		 rtf-objdata-decoded RTF \objdata at offset 0x1650 3669 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.