RTF / .DOC malware analysis — malicious · 81dcd2888afa874a

MALICIOUS

RTF / .DOC

9.4 KB

MD5: df122bd655ded9929f998f2c2671ffb4 SHA-1: 9738f41dd0ff22393e7de0243835a499718c4193 SHA-256: 81dcd2888afa874a18b121154aaa4907102dbdba3312182f9e35dd823681e100

60 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. This is a common technique for delivering secondary payloads. While no specific family is identified, the method strongly suggests a malicious document designed to compromise the user's system.

Heuristics 2

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00001257.bin` `a8f159d183e05e6e72d86f8b597830cfbca343acdae79adeda5310edbd6d348b`	rtf-objdata-decoded	RTF \objdata at offset 0x1257	1536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.