Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 6647c007ef663296…

MALICIOUS

RTF / .DOC

78.4 KB
MD5: 35be48dc5fcc34548fb3ba2c59553c9b SHA-1: 44483796ef16bdd914a63bc3ffb2748410e5f655 SHA-256: 6647c007ef6632962e441a5ef87417249a2ee456e975118105d4e9d59dbb8cd9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and a \objupdate directive, which are commonly used to trigger exploits within embedded objects. The presence of these elements suggests an attempt to execute malicious code upon opening or interaction with the document. No specific malware family could be identified.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000951.bin
25e72330863e2eb7a10562b703cd315cf9c1e37f77b756518c8b05110b2ab992		 rtf-objdata-decoded RTF \objdata at offset 0x951 4190 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.