Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c23a87b92c767faa…

MALICIOUS

RTF / .DOC

81.8 KB
MD5: ce6c552a82b2f25757ae954dfab787ca SHA-1: f54f4f6710c522bd7e9be620f999e79dda2c2afc SHA-256: c23a87b92c767faa2318b79b865e70e2c5d68b0e5f1917cae7633592a565e6d5
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. The heuristics suggest that embedded OLE objects are present and forced to activate. While no specific script or document body content was available for deeper analysis, the structure strongly implies a malicious payload delivery mechanism. The confidence is high due to the direct indicators of OLE exploitation.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001769.bin
4ebe706b031578c1ad084115dcf9876d2c56e1376303a41b9553d4ab598f411f		 rtf-objdata-decoded RTF \objdata at offset 0x1769 4151 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.