Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c8e811b23640f122…

MALICIOUS

RTF / .DOC

86.0 KB
MD5: ea2dd111f597984383ee909bd2b6755c SHA-1: 1c0aadb034ec1aba0e6218b83d1169a726247ae7 SHA-256: c8e811b23640f122bd7682e81f33fa3ae94e554f1becb5610516acfadb574856
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains embedded OLE objects that are automatically linked and updated, indicating an attempt to execute embedded code upon opening. The heuristics RTF_OBJDATA, RTF_OBJAUTLINK, and RTF_OBJUPDATE strongly suggest that this mechanism is used to trigger malicious activity, likely downloading and executing a secondary payload. The lack of a document body or script content prevents a more specific determination of the payload's nature or family.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ee4.bin
06bdb1acde68b01c571468b77001824d49bf6cea80f1bfe8920b03f9700c242e		 rtf-objdata-decoded RTF \objdata at offset 0x1EE4 1958 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.