Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a2bff70f83bfb02e…

MALICIOUS

RTF / .DOC

77.2 KB
MD5: e413f86e463fdd8505c91fa628b56788 SHA-1: 7d6220bd171e4023f4e4c65085966d8a42c37ea4 SHA-256: a2bff70f83bfb02e8d9063eba65e3d13021d9c739a8685292c86af450d4b8934
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The sample is an RTF document that leverages OLE object data and automatic linking to trigger embedded content. The heuristics RTF_OBJDATA, RTF_OBJAUTLINK, and RTF_OBJUPDATE strongly indicate that the document is designed to exploit OLE object activation. This technique is commonly used to deliver and execute malicious payloads, such as downloading and running further malware. The truncated document body prevents a more specific analysis of the lure, but the OLE exploitation is the primary attack vector.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001830.bin
48f1218a2ff9f34b84ed258fc7e073f79ae12e78c078b357a36acc2195ac2b69		 rtf-objdata-decoded RTF \objdata at offset 0x1830 4168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.