Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7ab17ec0c7a549c6…

MALICIOUS

RTF / .DOC

49.4 KB
MD5: a0b1758dc175e61b79a9ff6d7cbf54ee SHA-1: 0f82397c542d8a8a87077845ebb3ca61402ad4b3 SHA-256: 7ab17ec0c7a549c6368265523d61cf3c55e35f044f9f897b08bd1e63a6e22b21
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. The high-severity heuristic firing for RTF_OBJUPDATE strongly suggests this exploit vector. No document body or script content was available for further analysis, limiting the ability to identify a specific family or payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000107a.bin
0f99c426d969060aa6f5ef5cc286db13ee7d910064894e521fd0b30be73a20a8		 rtf-objdata-decoded RTF \objdata at offset 0x107A 4678 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.