Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b1aaabe4faa83c2f…

MALICIOUS

RTF / .DOC

1.36 MB Created: 2019-09-17 13:59:00
MD5: 61ef55d6c7e25f2ae50152303e4d2870 SHA-1: efc056f3bf84cd3c180fcce835bb3eea87674367 SHA-256: b1aaabe4faa83c2f71ee495365acceb37c0bdab5e66d4da90ab6aeeaa6def4af
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects that are triggered for activation via \objupdate, indicating an attempt to execute embedded content. The presence of RTF_OBJDATA and RTF_OBJEMB heuristics strongly suggests this is a malicious document designed to exploit vulnerabilities. No scripts were extracted, and the document body is heavily obfuscated, limiting further analysis of the specific payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2{\1\h\h\h\h\h

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0014c7e2.bin
480208edfe64c00ad97f90782643f7d756ff607b3f61beb02e4ba10028990de8		 rtf-objdata-decoded RTF \objdata at offset 0x14C7E2 1435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.