Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7d9353470f1226a0…

MALICIOUS

RTF / .DOC

16.0 KB
MD5: 66335be4bd27323b18d8a32e151f6b5d SHA-1: 0e71ed1acb7cd7d1328cb3ddf7a3640082001710 SHA-256: 7d9353470f1226a0cebac4364de36ebe88677e3b46755eb09732b24fc3aace89
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an RTF document containing embedded OLE object data, as indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is configured to activate automatically upon opening, which is a common technique for exploiting vulnerabilities and executing embedded code. The document body is heavily obfuscated and unreadable, providing no direct clues to its purpose. Given the nature of the heuristics, the likely attack pattern involves exploiting a vulnerability via the embedded OLE object to achieve code execution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000052d.bin
18d162674996eea7c54d3b3fc959e70c2c8eaa9a4c312586179fa9db70e888a9		 rtf-objdata-decoded RTF \objdata at offset 0x52D 1910 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.