Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 63d091dab8da98df…

MALICIOUS

RTF / .DOC

96.9 KB
MD5: 1c5122daef292e1b6caf4022dad5c28f SHA-1: b7ead7ab312e06c39eabc695abf18d5cf250c457 SHA-256: 63d091dab8da98df5f8615d682fe1c65d2750567d97cb87341f015f079bf855d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains embedded OLE object data and a directive \objupdate that forces OLE activation. This suggests the file is designed to exploit vulnerabilities in OLE object handling to execute arbitrary code. No specific malware family is identifiable from the provided heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000727.bin
ba1714c8dee346a78213a262e5b2774da6d6f1a4b3f164bee417cfce999be221		 rtf-objdata-decoded RTF \objdata at offset 0x727 1528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.