Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a0eb5cbd3d19a723…

MALICIOUS

RTF / .DOC

1.05 MB
MD5: 67133f3eed579e4312a4dc23956bb45e SHA-1: f3f17c0884290dd2ca8f6958e86597c1a68175a9 SHA-256: a0eb5cbd3d19a723f3d8f177db01f77ab78609a68f8f430e234dbf1339792354
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple embedded OLE objects, with one specifically triggered by \objupdate, indicating an attempt to exploit vulnerabilities upon opening. The presence of \objdata sections further supports the embedding of malicious content. While no specific exploit or payload is detailed, the mechanism points to a classic OLE object exploitation for initial execution.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000cd5.bin
14d78ec223631676f094d13cb2fed3ccbfb4261a18abfc6c06a8b074a8658d13		 rtf-objdata-decoded RTF \objdata at offset 0xCD5 9989 bytes
objdata_01_off00006008.bin
ec5bdc161842d90a041b22b0cdbb3d4c617370aaccaa72927ae6f78164b739e6		 rtf-objdata-decoded RTF \objdata at offset 0x6008 276 bytes
objdata_02_off00006862.bin
1bcc172b6f7b52121a2a88a3044678942197ef057e1ed239bc13c3fc86952dc5		 rtf-objdata-decoded RTF \objdata at offset 0x6862 265056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.