Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7145b21c8fa8ffbf…

MALICIOUS

RTF / .DOC

81.2 KB
MD5: 877b0c513924f554e4754a36333f9c44 SHA-1: e9182adfcbbccf2cd3b46bbae212446f4ca89447 SHA-256: 7145b21c8fa8ffbf9e89dc3720183772b7fbc76b12eba3e3dd68079348397e59
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains OLE object data and an objupdate directive, indicating an attempt to exploit OLE activation for execution. The presence of an Ole10Native stream further supports the embedding of a malicious object. While the document body is heavily obfuscated and unreadable, the heuristics strongly suggest a malicious OLE object is embedded, likely intended to be executed upon opening.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000011cf.bin
23523c490012ec560c8525e625afd13050efaddb6fb8abddb3a3de2614f78fe7		 rtf-objdata-decoded RTF \objdata at offset 0x11CF 4257 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.