Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a0163bafdd8be275…

MALICIOUS

RTF / .DOC

20.7 KB
MD5: c405f9297e1248766cdf5ceab57e9163 SHA-1: 189018f22f23fde6c3e05d4b75a458fae87130f8 SHA-256: a0163bafdd8be27511f8e55c0a70b9e10b15f9a2b84fdf7ca3f05552a9eb9cc0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to activate embedded objects. This strongly suggests an attempt to exploit vulnerabilities or execute embedded code upon opening. While no specific family is identified, the technique is common for delivering secondary payloads.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bc9.bin
fe6ab3dbb81083792150c01b78dff84b29046f545d9960900a679d2507ed051e		 rtf-objdata-decoded RTF \objdata at offset 0x1BC9 1690 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.