Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 79f087b11cd793f4…

MALICIOUS

RTF / .DOC

64.6 KB
MD5: 5038b34e33218bec8402f0b13730df77 SHA-1: d93e83459494d5c7228d7467e655cdacf65625cf SHA-256: 79f087b11cd793f4f98c53a7d22a8fcddc55f3dac9df131c5c4bf8617ff47593
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to trigger OLE object activation. This is a common technique for executing embedded malicious code. The document body is heavily obfuscated and does not provide clear intent, but the heuristics strongly suggest exploitation for client execution, likely delivered via spearphishing.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000942.bin
60c86a234cbae0adff775170eba63ee4393b7069f92751d80b90c3d480fd0891		 rtf-objdata-decoded RTF \objdata at offset 0x942 3673 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.