Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 539c75870ca1d804…

MALICIOUS

RTF / .DOC

203.5 KB
MD5: 8b83853187de0ffeddec633d2d861181 SHA-1: dec85b95365f5d9e08c2d0b40b17bdf5c88d751a SHA-256: 539c75870ca1d80478c9ccce77fb580985e307b375627b7428b52f1865ba2948
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: OLE

The RTF document contains OLE object data and triggers automatic linking and update events, indicating an attempt to exploit OLE vulnerabilities. The heuristic firings strongly suggest that the embedded OLE object is designed to be activated automatically, likely to download and execute a secondary payload. No document body or script content was available for further analysis.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000017ad.bin
96f71b335a37ab6a45b3251dec4a3581c17353c3087934ea16063c928c6b5286		 rtf-objdata-decoded RTF \objdata at offset 0x17AD 4161 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.