Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 600c11d4d3fce5f1…

MALICIOUS

RTF / .DOC

34.2 KB
MD5: ec42903bc571eaee153243e574bb8988 SHA-1: 2d9decc8dc9ccba9dea4aba7db92f1e0d6092b87 SHA-256: 600c11d4d3fce5f15cea757259458aaa47e3ac4e9b709669e9f159b6aa42cf61
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to execute embedded malicious content. The presence of the Ole10Native stream further supports this. While the exact payload is not visible, this technique is commonly used to download and execute secondary malware.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d0d.bin
d3542e5fe3076119e5a6a69d26129fdec36702282b02a3a86444a02c21575328		 rtf-objdata-decoded RTF \objdata at offset 0x1D0D 4176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.