Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 903c11a14a5af5a8…

MALICIOUS

RTF / .DOC

83.9 KB
MD5: 2cf4b897ab47808cc8b96d2804e2ab61 SHA-1: 5a8dbba3aef1d5388b9ad1e5daa06bb3ec108c78 SHA-256: 903c11a14a5af5a8b9594c1f5fa92b22b6d631c07c112a26c23fea6cd586789e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA, RTF_OBJEMB, and RTF_OBJUPDATE heuristic firings. The RTF_OBJUPDATE rule specifically suggests that the embedded object is configured to activate automatically, which is a common technique for exploiting vulnerabilities in document parsers to achieve arbitrary code execution. While no specific payload or URL was extracted, the presence of these indicators strongly suggests a malicious document designed to exploit a vulnerability and likely download a secondary stage.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018b5.bin
8061cb16f947e7cee54afe45b8af82e097b83bce962c00efc837e9d98e8f67d3		 rtf-objdata-decoded RTF \objdata at offset 0x18B5 1735 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.