Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 798a073cce7390f3…

MALICIOUS

RTF / .DOC

91.5 KB
MD5: 897491912bf25442cb0d7f529bab538c SHA-1: eb96b0c363dab9c56825ddb9192ad32746727c56 SHA-256: 798a073cce7390f37e4a35f864ab5667b5bfac7cd60f8460ed043d0e5ae0bd8d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic specifically flags that \objupdate forces OLE activation, suggesting that opening the document will trigger the execution of the embedded object. This points to a malicious document designed to exploit OLE vulnerabilities for initial execution. No specific family could be identified, and no further IOCs were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000dd1.bin
69a2d1b9aaf94bb7c806214c8b5f65394351d87f86c8d1cf99e7f000b5ed0ff3		 rtf-objdata-decoded RTF \objdata at offset 0xDD1 1584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.