Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 63385244035146fc…

MALICIOUS

RTF / .DOC

74.4 KB
MD5: 4780436ed1f9f2d4477623198e327151 SHA-1: 3c5c90197f968aa50c7db52bc217008af0e2a920 SHA-256: 63385244035146fced60005df765005ee454545eee82e920048de09f23717340
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to exploit OLE activation for client execution. The presence of embedded OLE objects suggests the document is likely delivered as a spearphishing attachment, aiming to trick the user into opening it and triggering the exploit. No specific family could be identified.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007b3.bin
d95cdb06306bb33f69ed5ad1335a056c1792bb9badc8bf91f29418fcf6d1cfe6		 rtf-objdata-decoded RTF \objdata at offset 0x7B3 4170 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.