Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ae00e031d07bf3aa…

MALICIOUS

RTF / .DOC

62.3 KB
MD5: c91178c67f35476ba7c9434bb00cdf85 SHA-1: abffc183900d1979edb74a3dc83cb48fc94bebc0 SHA-256: ae00e031d07bf3aa0cbfa8f7b51cf7713d2e446af6fa3bebc015785f9244229d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be activated automatically, which is a common technique for exploiting vulnerabilities in Microsoft Office applications. The embedded OLE object data itself is likely the exploit mechanism. Without further analysis of the object's content, the specific payload and delivery method remain unknown, hence the 'unknown family' classification.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001364.bin
018a835475bd61e6fc41fd174f8b96b147db2671338b3ec894bd9aeba585260a		 rtf-objdata-decoded RTF \objdata at offset 0x1364 2216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.