Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7b5b990be1b0c716…

MALICIOUS

RTF / .DOC

10.2 KB
MD5: 203b97c1a0737bcb10e2f487c64c092e SHA-1: f2da046ce199c3193e2b24e779666a47a63ae893 SHA-256: 7b5b990be1b0c716e065a3f7a19a6fb3e8fb72799cb7a62809a18eca9c0d919f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. This is a common technique for delivering secondary payloads. No document body or script content was available for further analysis, limiting the ability to identify a specific family or detailed attack flow.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014cd.bin
7c48930b94d546eab7f745b0a7db9bd43274cb788c95150cf733e93d65639951		 rtf-objdata-decoded RTF \objdata at offset 0x14CD 1953 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.