Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8b68d05e339a37d3…

MALICIOUS

RTF / .DOC

17.9 KB
MD5: fe7d49735b0d980896a7d988d5d70d11 SHA-1: c1308c711a67aea2efa2a5b88f4d1d676b869a03 SHA-256: 8b68d05e339a37d38b051ef6a01f590c944a8eda9498b57526b7b6edafdde69c
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to exploit OLE object activation. This suggests the document is designed to trick the user into activating embedded malicious content, likely leading to the execution of a secondary payload. No specific family could be identified, but the technique is common in various malware delivery campaigns.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000104c.bin
687a49cc21ed6ee53fdad2b51440cc98809bfb04353bbaa0abc3037cd4033403		 rtf-objdata-decoded RTF \objdata at offset 0x104C 1859 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.