Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 be361890689b1e7e…

MALICIOUS

RTF / .DOC

121.1 KB
MD5: 113ae8b76126b402c18b22ff44bd7647 SHA-1: 0a7a349f73dfddc861ec3411f6b7eeb104baa3b1 SHA-256: be361890689b1e7e88f549108fa7d2dcaf2d47480fc8859e62d43be65298398f
151 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data that is automatically linked and updated. This suggests an attempt to exploit vulnerabilities or trick the user into activating embedded objects, which is a common delivery mechanism for malware. The specific exploit or payload is not detailed in the provided heuristics, but the presence of these RTF-specific object manipulation rules strongly indicates a malicious intent to execute code upon opening.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bb6.bin
db1073a19ef2fa2c4d5f79809940acb3cc43ecdde26ee6e3e3d33fdf3dce0921		 rtf-objdata-decoded RTF \objdata at offset 0x1BB6 3641 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.