Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c0663d4f8b665100…

MALICIOUS

RTF / .DOC

15.1 KB
MD5: 3ada497f378e9856fe9b7e1034bebdc6 SHA-1: bb74a322bc52142a8c5f791d1fc1d4fe6ca3270f SHA-256: c0663d4f8b6651006d5c91f49512c7378707c40c69a9fffc132c740c8d6923ae
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE object activation. This suggests the file is designed to leverage a vulnerability, likely for code execution upon opening. No specific malware family could be identified, and no further IOCs were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000006c6.bin
92b2b4234c2492c35f06a37dfe23241df540d062b5ed2ec643828290095c1b52		 rtf-objdata-decoded RTF \objdata at offset 0x6C6 1574 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.