Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7b768e67c53d4420…

MALICIOUS

RTF / .DOC

20.6 KB
MD5: f2c669851bf14c82e1d00ec868103552 SHA-1: 8bba6bffb26df3c80b3551756df90f384a30273a SHA-256: 7b768e67c53d44204f82825cc739c0a7b364a797dad2ae35bd5c666ec426eaec
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains embedded OLE object data and an \objupdate directive, indicating an attempt to exploit a vulnerability for client execution. While no specific script or URL was directly extracted, the presence of OLE object data strongly suggests a malicious payload delivery mechanism, commonly associated with spearphishing attachments. The exact nature of the payload is unclear without further analysis of the embedded object.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001200.bin
e72b531a86b37a6462992b2bd3d571b4cb2748af676079fff05a297e0163e984		 rtf-objdata-decoded RTF \objdata at offset 0x1200 1801 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.