Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5ea62cd742478b1e…

MALICIOUS

RTF / .DOC

1.97 MB Created: 2019-09-17 13:59:00
MD5: 153e0cef5177482b36181d416f6b9f29 SHA-1: a3c895c6da05809812f7d913909a6aeede60a8d9 SHA-256: 5ea62cd742478b1eccc6187c3f860694b215e32d97fbfc6078cec19a4155a125
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the document is designed to exploit vulnerabilities associated with OLE object handling to execute arbitrary code. While no specific script was extracted, the presence of embedded OLE objects and the RTF format strongly implies a malicious document designed to deliver a secondary payload, likely via an exploit.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2{

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off001ea977.bin
aeb6bd77af9dd948de438e2320349d28458b3866c761a3aaf83b3d5fe9a81a44		 rtf-objdata-decoded RTF \objdata at offset 0x1EA977 1435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.