Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ae3055d734678957…

MALICIOUS

RTF / .DOC

150.2 KB Created: 2019-09-17 13:59:00
MD5: 8382572f1fad485c3f92e9b895b4c055 SHA-1: 42814ff5db685cd05fad5c9949359b2acb21382f SHA-256: ae3055d734678957dca3190c9959f494f1d036c7a71443f82257f0e7a2511ea5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, with one specifically triggering an update action. This suggests the document is designed to exploit OLE vulnerabilities to execute embedded code. While no specific script was extracted, the presence of OLE object data and update triggers strongly indicates a malicious intent to leverage these objects for code execution, likely as a downloader or initial access vector.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000245d3.bin
e3859163b47b9ec750a1f1b020748477c2658974050c53fcb16f1ac4b9929fee		 rtf-objdata-decoded RTF \objdata at offset 0x245D3 1435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.