Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8021eb6cfa850b00…

MALICIOUS

RTF / .DOC

49.9 KB
MD5: 1498478d9fa54cced5aeabd5997d5215 SHA-1: ba3c4f4eedab10b9cc082f4cdad7462cdf902be5 SHA-256: 8021eb6cfa850b00dc489a7c12f2132c7d93d66e7232799ab70ad09e1340f625
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE objects with objdata sections, and an objupdate directive that forces OLE activation. This strongly suggests an attempt to exploit a vulnerability within the OLE object handling, likely leading to arbitrary code execution. No specific family could be identified from the available evidence.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000e35.bin
c012106d2ae1761526b94f60cc0a55031dc4f0fb8ef062d82022db72a617ec6c		 rtf-objdata-decoded RTF \objdata at offset 0xE35 4150 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.