Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5ab9847d793d054d…

MALICIOUS

RTF / .DOC

15.9 KB
MD5: 33a9a2b782025b022c200223422e3e34 SHA-1: 7155a72a1c4dc59ae2ec537bc4b6c3d7a58214fb SHA-256: 5ab9847d793d054d9e11a6857a182051d01777a08571b754e0dc079ddac88e28
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit a vulnerability for code execution. The presence of embedded OLE objects suggests the file is designed to trigger an exploit when opened. Without further script or body content, the exact payload and delivery mechanism remain unclear, but the exploit attempt is evident.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000d0d.bin
6e496f613fb84c09203586bdbae03c382fd5877df255369fad54306a191e8df4		 rtf-objdata-decoded RTF \objdata at offset 0xD0D 1686 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.