Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 73e13cce94f79361…

MALICIOUS

RTF / .DOC

10.1 KB
MD5: df2d87d5b96bcabef5a4b2ae308f666c SHA-1: 68003034d1daaf5c59e5d61cdec603206239bb1b SHA-256: 73e13cce94f79361f590bc566a28b0434685b05419685da43e0163a05132a5d3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and triggers an OLE activation via \objupdate. This indicates a likely attempt to exploit vulnerabilities within the OLE object handling or execute embedded code. The specific nature of the exploit or payload cannot be determined from the provided evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000124a.bin
362c58845c01639f3672a80fde6e9e0b1dce82d398d18d0e25ef9c134cb816f9		 rtf-objdata-decoded RTF \objdata at offset 0x124A 1821 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.