Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 acfb69abba1ac633…

MALICIOUS

RTF / .DOC

349.5 KB
MD5: e998839c5be97cedf27b1a74a4b5870f SHA-1: ccb4979bc29d19db7a76094ef4ac6a28a7fcff2c SHA-256: acfb69abba1ac633b684bfbd5a90212aecd15d5f571a6cb2fb75463e4ad02534
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data and is configured to automatically update and activate these objects upon opening. This indicates an attempt to exploit the OLE object activation mechanism to execute malicious code. No specific family could be identified, and no further IOCs were extracted.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000103.bin
e3c58f12035f423aff85efdfb48d19dbe6b04fd6dfb2f7ae32c93e0251e62214		 rtf-objdata-decoded RTF \objdata at offset 0x103 103537 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.