Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 89292149ecd54961…

MALICIOUS

RTF / .DOC

70.7 KB
MD5: 4340287b98bf02f619062a3fcf01c4bf SHA-1: df22e5300aa8197d8b9f3bff9b70f864a44feffd SHA-256: 89292149ecd54961425066f15fe8b4939958cc19d2e85e361083e26afd882c69
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to execute embedded content upon opening. This technique is commonly used to deliver secondary payloads. No specific family could be identified, and no direct IOCs were extracted from the document body or scripts.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c53.bin
0eac410e094a5e0cc1f4643773cbf8be0a11d526455c4bbc2de78f3fb99b80c2		 rtf-objdata-decoded RTF \objdata at offset 0x1C53 3660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.